Hackers Use Jira Notifications to Bypass Spam Filters

A new spam campaign is slipping past enterprise defenses by wearing a disguise that most security filters explicitly trust: Atlassian Jira. A new report from Trend Micro details how threat actors are abusing the popular project management platform to blast malicious emails into the inboxes of government agencies and major corporations worldwide.

By pivoting off Atlassian’s high domain reputation, the attackers have turned a tool designed for collaboration into a delivery system for financial scams.

The brilliance of the attack lies in its abuse of trust. Instead of sending emails from a suspicious domain, the attackers utilize Jira’s own notification system. They create legitimate Jira tickets that trigger email alerts to their targets. Because these emails originate from Atlassian’s actual infrastructure, they bypass standard spam filters and authentication checks like SPF and DKIM.

“Attackers abused Atlassian Cloud’s trusted domain for a spate of spam campaigns. The campaigns tried to leverage the domain name and reputation of this legitimate and well-known SaaS platform,” the report states.

The attackers specifically hunted for organizations that already used Jira, knowing that employees in those environments are conditioned to click on ticket notifications.

“Our analysis indicates that organizations already using Atlassian Jira were among the primary targets,” Trend Micro researchers noted. “Sectors characterized by high email volume and heavy adoption of collaboration tools might also have been considered as good targets… as they would likely trust and routinely interact with Jira-generated notifications”.

This targeting extended to language as well. The emails were tailored to specific language groups, including English, French, German, Italian, Portuguese, and Russian speakers, aiming to snare highly skilled professionals.

Once a victim clicks the link in the “Jira” email, they aren’t taken to a project board. Instead, they enter a complex redirection chain powered by a Traffic Distribution System (TDS) known as Keitaro.

“In this instance, it was weaponized to redirect spam URLs to final landing pages, the content of which ranged from dubious investment schemes and online casinos,” the report explains.

This infrastructure allowed the attackers to filter traffic and ensure that only real humans—not security bots—reached the final scam pages, which often featured “dubious investment schemes” or gambling platforms designed to harvest financial data.

“Enterprises should deploy advanced email security solutions… which provide layered detection and identity-aware controls to better detect and block phishing and abuse of trusted SaaS platforms,” the report concludes.

Related Posts:

• High-Severity Privilege Escalation Threat Hits Atlassian Jira Data Center
• Jira Path Traversal Flaw (CVE-2025-22167) Allows Arbitrary File Write on Server/Data Center
• Critical Flaw in Atlassian Jira Service Management Server and Data Center
• Zoom Unveils Custom AI Companion: Agent-Like AI Boosts Productivity Across 16 Business Apps