What happened
Security researchers at Trend Micro identified a spam campaign where cybercriminals abused legitimate features of Atlassian Cloud, particularly Jira Cloud, to send fraudulent investment scam emails to government and corporate targets. Attackers created multiple Atlassian Cloud accounts and Jira instances using randomized names, then used Jira Automation to send emails through Atlassian’s trusted infrastructure, allowing messages to pass authentication checks such as SPF and DKIM. These emails redirected victims through traffic distribution systems like Keitaro TDS to fraudulent investment landing pages. The campaign targeted victims across multiple language groups and leveraged Atlassian’s trusted domain reputation and AWS-hosted infrastructure to evade email security filters and scale operations using automated instance creation.Â
Who is affected
Government organizations, corporate entities, and targeted email recipients interacting with malicious messages sent through abused Atlassian Cloud infrastructure are affected, as attackers used trusted SaaS email delivery to redirect victims to fraudulent investment platforms.Â
Why CISOs should care
The campaign demonstrates how attackers weaponize trusted SaaS platforms such as Atlassian Cloud to bypass traditional email security controls and deliver phishing or scam content using legitimate infrastructure.Â
3 practical actions
- Monitor SaaS-generated email activity. Review inbound emails originating from Atlassian Cloud infrastructure for suspicious patterns.Â
- Track redirect chains and malicious URLs. Detect links leading to traffic distribution systems and fraudulent landing pages.Â
- Strengthen email filtering policies. Implement detection mechanisms that analyze message behavior beyond domain reputation.