Trend Micro researchers have uncovered a sophisticated spam campaign that weaponizes Atlassian Jira Cloud’s trusted infrastructure to bypass traditional email security controls and target government and corporate entities worldwide.
The campaign, active from late December 2025 through late January 2026, demonstrates how threat actors can exploit legitimate software-as-a-service (SaaS) platforms to deliver malicious content while evading detection.
Key Findings
- Trusted Domain Abuse: Attackers leveraged Atlassian Cloud’s strong domain reputation to bypass blocklists and email filters
- Valid Authentication: Emails passed SPF and DKIM checks through Atlassian’s integrated email system, appearing legitimate to security controls
- Multi-Language Targeting: Campaigns targeted English, French, German, Italian, Portuguese, and Russian speakers with localized subject lines
- Government Focus: Specific targeting of government and corporate sectors, including highly skilled Russian professionals working abroad
- Financial Motivation: Recipients were redirected to dubious investment schemes and online casino landing pages via Keitaro Traffic Distribution System (TDS)
Attack Methodology
Threat actors created Atlassian Cloud accounts using randomized naming conventions, enabling them to generate disposable Jira Cloud instances at scale. Analysis revealed these instances resolved to legitimate AWS infrastructure (13.227.180.4), confirming the use of genuine Atlassian Cloud services rather than compromised servers.
The attackers exploited Jira Automation rules to deliver crafted emails through an integrated email sending platform. Notably, recipients did not need to be listed users within the Jira instance, nor accept any invitation—allowing widespread, anonymous delivery without exposing attacker infrastructure.
Why This Attack Works
Traditional email security places higher trust on notifications from SaaS providers. This campaign exploited that inherent trust by:
- Using legitimate atlassian.net sender domains with strong reputation
- Passing SPF and DKIM authentication checks automatically
- Targeting organizations already using Atlassian Jira, where such emails are routinely trusted
- Creating trial accounts with no domain ownership verification required
Indicators of Compromise
Malicious domains identified in the campaign include:
- adrinal[.]com
- barankinyserialxud[.]online
- archicad3d[.]com
- go[.]sparkpostmail1[.]com (redirect intermediary)
Defensive Recommendations
Organizations should:
- Deploy advanced email security solutions with AI-powered threat detection
- Implement identity-aware controls for emails from cloud SaaS providers
- Train employees to scrutinize Jira notifications, especially those with unexpected links
- Monitor for emails from unfamiliar Atlassian instances
- Consider allowlisting only known, internal Atlassian Cloud instances
Trend Micro has shared the findings with Atlassian’s security team to address the platform abuse.
