Spam Campaign Abuses Atlassian Jira Cloud to Target Government and Corporate Entities
Threat actors exploited Atlassian Jira Cloud's trusted infrastructure to run automated spam campaigns targeting government and corporate entities, bypassing traditional email security by abusing the platform's strong domain reputation.
Trend Micro researchers have uncovered a spam campaign that abused Atlassian Jira Cloud to deliver automated, targeted spam to government and corporate entities worldwide. Active from late December 2025 through late January 2026, the campaign leveraged Jira's notification and invitation features to send malicious emails that appeared legitimate, bypassing traditional email security controls by piggybacking on Atlassian's trusted domain reputation.
The attackers created disposable Jira Cloud instances using randomized naming conventions, likely through free or trial accounts, and used Jira Automation rules to craft and send emails. By operating through Atlassian's legitimate infrastructure—hosted on AWS IP addresses that also serve legitimate deployments—the campaign avoided detection by blocklists and authentication checks like SPF and DKIM. The emails were tailored to specific language groups, including English, French, German, Italian, Portuguese, and Russian speakers, and targeted sectors such as government and corporate entities.
The campaign used the Keitaro Traffic Distribution System (TDS) to redirect victims to dubious investment schemes and online casino landing pages, indicating financial gain as the primary motive. Trend Micro noted that the attackers did not need to register domains matching the spoofed company names, relying instead on the inherent trust associated with Atlassian-generated system emails. The low barrier to creating trial accounts enabled rapid scaling of disposable instances.
Organizations using Atlassian Jira were prime targets, especially those with high email volume and heavy reliance on collaboration tools, where Jira notifications are routinely trusted. Traditional email security places higher trust on notifications from SaaS providers, and the campaign exploited this trust to bypass filters. Trend Micro shared its findings with Atlassian's security team in advance.
This activity exemplifies a growing trend of threat actors abusing legitimate SaaS platforms for malicious purposes. As SaaS platforms expand their email-driven workflows, organizations must reassess long-standing trust assumptions and tighten controls around third-party cloud-generated email. Trend Micro recommends deploying advanced email security solutions with layered detection and identity-aware controls to better detect and block phishing and abuse of trusted SaaS platforms.