Jira Cloud Exploited for Targeted Spam Campaigns

In early 2026, Trend Micro researchers identified a targeted spam campaign that abused Atlassian Jira Cloud infrastructure to distribute financially motivated spam to government and corporate entities worldwide. By leveraging the trusted atlassian[.]net domain and Jira’s built-in automation features, attackers were able to bypass traditional email security controls and deliver localized, high-engagement spam messages. This campaign demonstrates how legitimate SaaS platforms with strong domain reputations can be weaponized to evade detection and exploit organizational trust in collaboration tools.

Severity: High

Technical Details

1. Infrastructure Provisioning

• Account Creation: Attackers created disposable Atlassian Cloud instances at scale using randomized naming conventions.
• Infrastructure: Malicious instances resolved to legitimate AWS IPs shared with standard Atlassian deployments, preventing IP-based blocking.
• Ease of Access: The straightforward Jira trial registration process provided a low barrier to entry for repeated instance generation.

2. Execution and Delivery

• Jira Automation: Rather than bulk-adding users (which triggers suspicious invitations), actors used Jira Automation rules to deliver custom emails through Jira’s integrated email platform.
• Anonymity: The delivery method did not require recipients to be enrolled in a project or even be listed Jira users, allowing for wide, anonymous distribution.
• Bypassing Filters: Because the emails originated from the legitimate atlassian[.]net domain, they inherited a high trust score from traditional email security filters.

3. Victimology

• Target Sectors: Technology, Hospitality, Banking/Financial, Manufacturing, Construction /Real estate, Government, Healthcare, Events, Chemicals/Pharmaceuticals, Travel/ Tourism, Insurance, Aviation/Defense
• Geographic Focus: Global, with specific language-based targeting (English, French, German, Italian, Portuguese, and Russian speaking users).
• Organizations already using Atlassian Jira were disproportionately targeted to increase the likelihood that recipients would trust the message source.

Payload And Post-Click Activity

The campaign utilized a Traffic Distribution System (TDS) known as Keitaro. This system served as a redirector, channeling targets to:

• Dubious investment schemes (promising returns like 5000 rubles/day).
• Online casino landing pages (e.g., “Chin Chin Casino”).

Recommendations

1. Implement advanced AI email security, as attackers successfully bypassed SPF and DKIM by using legitimate Atlassian infrastructure.
2. Configure email gateways to flag or quarantine external notifications from Jira instances that do not match known corporate instance naming conventions.
3. Implement detection for traffic directed toward the Keitaro Traffic Distribution System, which was weaponized to funnel targets to gambling and scam sites.
4. Ensure your internal Atlassian instances are properly configured with domain ownership verification to prevent “shadow” or spoofed instances from appearing legitimate to employees.
5. Monitor unusual Jira automation rule creation. Audit newly created Atlassian trial instances linked to your domain. Flag abnormal notification patterns.
6. Train employees to recognize unexpected Jira notifications. Emphasize caution with localized subject lines referencing bonuses, gifts, or confirmations.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/ef6fe5e77e6d73f625de673f4608981b70cb516eef9b1ba3b839901075296699/iocs

Source:

• https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.