SaaS Platforms Abused: GitHub and Jira Become Phishing Proxies
Threat actors are weaponizing GitHub and Jira’s internal notification systems to craft undetectable phishing campaigns. By hijacking official mail servers, attackers send emails that bypass standard security protocols like SPF, DKIM, and DMARC, making these attacks extremely difficult to block.
Messages routed through verified domains appear to originate from trusted sources, landing directly in inboxes and evading traditional gateways.
Credential harvesting remains the primary objective, with phishing serving as the first stage for broader account compromises. Analysis revealed that during a single campaign in February 2026, approximately 2.89% of all GitHub emails exhibited malicious traits, demonstrating the scale of exploitation.
Cisco Talos documented spikes in spam activities driven by notification pipelines, with 1.20% of “[email protected]” messages containing billing-themed lures over a five-day period.
Platform-as-a-Proxy (PaaP) Technique
This emerging model exploits legitimate SaaS platforms as delivery proxies for malicious content. Since emails originate from GitHub or Jira infrastructure, they inherit cryptographic signatures and domain reputation, effectively providing attackers with “built-in approval” that security systems rarely challenge. Attackers embed social-engineering lures within standard workflows, referencing invoices, support issues, or urgent account problems to exploit user expectations.
GitHub Commit Notification Abuse
Attackers create repositories and push malicious commits to hijack automated email alerts. The commit summary serves as the initial hook—often billing-related—while the extended description hosts phishing content. When triggered, GitHub sends notifications from authenticated SMTP hosts (e.g., “out-28.smtp.github.com”), complete with valid d=github.com DKIM signatures. This bypasses filtering due to genuine headers and structures.

Jira Invitation Hijacking
Attackers abuse Jira Service Management projects by embedding malicious content in configurable fields like “Project Name” or “Welcome Message.” Invitations masquerade as legitimate customer tickets, leveraging Atlassian’s trusted templates and branding in footers. Given Jira’s role in corporate workflows, these emails evade scrutiny by mimicking critical internal communications.

The Trust Paradox and Defensive Strategies
This abuse highlights a critical “trust paradox,” where organizations overtrust SaaS-originated emails. Mitigation requires a zero-trust approach:
- Identity-check allowed SaaS instances and sender domains
- Integrate GitHub/Atlassian API logs into SIEM/SOAR systems to detect suspicious activity
- Profile normal usage patterns to flag abnormal billing or financial lures
- Add friction for high-risk notifications (e.g., multi-factor authentication)
- Automate takedowns of malicious repositories/projects
GitHub’s reputation as a developer hub and Jira’s role in business workflows enable attackers to launder malicious content through trusted brands. Organizations must shift from domain-level trust to contextual verification to neutralize these evolving threats.