Cybercriminals Abuse Atlassian Cloud Infrastructure to Deliver Investment Scam Emails

Related

DraftKings Hacker “Snoopy” Sentenced to 18 Months in Prison

What happened In June 2026, the DraftKings hacker Nathan Austad,...

Scattered Spider Members Plead Guilty to Transport for London Hack

What happened Two members of the Scattered Spider cybercrime group...

INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific

What happened INTERPOL warned that cybercrime is rising sharply across...

International Takedown Disrupts RedVDS Cybercrime Platform Driving Phishing and Fraud

What happened International takedown disrupts RedVDS cybercrime platform driving phishing...

Share

What happened

Security researchers at Trend Micro identified a spam campaign where cybercriminals abused legitimate features of Atlassian Cloud, particularly Jira Cloud, to send fraudulent investment scam emails to government and corporate targets. Attackers created multiple Atlassian Cloud accounts and Jira instances using randomized names, then used Jira Automation to send emails through Atlassian’s trusted infrastructure, allowing messages to pass authentication checks such as SPF and DKIM. These emails redirected victims through traffic distribution systems like Keitaro TDS to fraudulent investment landing pages. The campaign targeted victims across multiple language groups and leveraged Atlassian’s trusted domain reputation and AWS-hosted infrastructure to evade email security filters and scale operations using automated instance creation. 

Who is affected

Government organizations, corporate entities, and targeted email recipients interacting with malicious messages sent through abused Atlassian Cloud infrastructure are affected, as attackers used trusted SaaS email delivery to redirect victims to fraudulent investment platforms. 

Why CISOs should care

The campaign demonstrates how attackers weaponize trusted SaaS platforms such as Atlassian Cloud to bypass traditional email security controls and deliver phishing or scam content using legitimate infrastructure. 

3 practical actions

  • Monitor SaaS-generated email activity. Review inbound emails originating from Atlassian Cloud infrastructure for suspicious patterns. 
  • Track redirect chains and malicious URLs. Detect links leading to traffic distribution systems and fraudulent landing pages. 
  • Strengthen email filtering policies. Implement detection mechanisms that analyze message behavior beyond domain reputation.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.