Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Summary:
A recently observed spam and phishing campaign, active from late December 2025 through late January 2026, abused Atlassian Jira Cloud infrastructure to bypass traditional email security controls. Threat actors leveraged the inherent trust and high domain reputation of Atlassian's legitimate SaaS platform to distribute targeted spam and phishing lures. By exploiting Jira Automation rules, attackers delivered financially motivated lures, specifically investment scams and online casino platforms, to government and corporate entities worldwide.
Organizations with existing Jira footprints and high collaboration tool usage were heavily targeted to increase the probability of user interaction. The campaign relied on the psychological trust users place in automated Jira notifications. Attackers localized subject lines based on the target's language and region to improve engagement. In some documented cases, the threat actors used standard Jira-generated subject lines, which may have just been the result of misconfigured automation rules. The report from Trend Micro details specific lures observed in Russian, Italian, and English. This campaign highlights a growing strategic shift where adversaries weaponize legitimate cloud infrastructure and built-in email authentication protocols to evade blocklists.
Security Officer Comments:
The threat actors orchestrated a highly automated campaign that relied entirely on abusing legitimate cloud service features. Threat actors bulk-created disposable Atlassian Jira Cloud instances using randomized naming conventions via free or trial accounts. These instances resolved to a legitimate AWS IP (13[.]227[.]180[.]4) associated with Atlassian. Warning: Attempting to block this IP address will likely break legitimate Atlassian Jira instances across the organization. No custom domains were registered. Attackers relied entirely on the trusted atlassian[.]net sender domain.
The campaign targeted organizations already utilizing Atlassian Jira. Target lists were tailored by language (English, French, German, Italian, Portuguese, and Russian) and included highly skilled Russian professionals living abroad. Instead of using Jira's bulk CSV user-add feature, the adversaries leveraged Jira Automation rules to trigger crafted emails through Atlassian's integrated email platform. Recipients did not need to be enrolled users in the instance. Because the emails originated from atlassian[.]net, they successfully passed native SPF and DKIM authentication checks. Embedded links in the emails directed victims to an intermediary redirector (an abused legitimate marketing platform). This redirector then routed victims through the Keitaro Traffic Distribution System (TDS), a legitimate affiliate tracking tool weaponized to dynamically send users to the final malicious landing pages. The landing pages observed by Trend Micro suggest the threat actors’ motivation is financial gain.
Suggested Corrections:
IOCs are available here.
Actionable Suggested Correctionss:
https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html
A recently observed spam and phishing campaign, active from late December 2025 through late January 2026, abused Atlassian Jira Cloud infrastructure to bypass traditional email security controls. Threat actors leveraged the inherent trust and high domain reputation of Atlassian's legitimate SaaS platform to distribute targeted spam and phishing lures. By exploiting Jira Automation rules, attackers delivered financially motivated lures, specifically investment scams and online casino platforms, to government and corporate entities worldwide.
Organizations with existing Jira footprints and high collaboration tool usage were heavily targeted to increase the probability of user interaction. The campaign relied on the psychological trust users place in automated Jira notifications. Attackers localized subject lines based on the target's language and region to improve engagement. In some documented cases, the threat actors used standard Jira-generated subject lines, which may have just been the result of misconfigured automation rules. The report from Trend Micro details specific lures observed in Russian, Italian, and English. This campaign highlights a growing strategic shift where adversaries weaponize legitimate cloud infrastructure and built-in email authentication protocols to evade blocklists.
Security Officer Comments:
The threat actors orchestrated a highly automated campaign that relied entirely on abusing legitimate cloud service features. Threat actors bulk-created disposable Atlassian Jira Cloud instances using randomized naming conventions via free or trial accounts. These instances resolved to a legitimate AWS IP (13[.]227[.]180[.]4) associated with Atlassian. Warning: Attempting to block this IP address will likely break legitimate Atlassian Jira instances across the organization. No custom domains were registered. Attackers relied entirely on the trusted atlassian[.]net sender domain.
The campaign targeted organizations already utilizing Atlassian Jira. Target lists were tailored by language (English, French, German, Italian, Portuguese, and Russian) and included highly skilled Russian professionals living abroad. Instead of using Jira's bulk CSV user-add feature, the adversaries leveraged Jira Automation rules to trigger crafted emails through Atlassian's integrated email platform. Recipients did not need to be enrolled users in the instance. Because the emails originated from atlassian[.]net, they successfully passed native SPF and DKIM authentication checks. Embedded links in the emails directed victims to an intermediary redirector (an abused legitimate marketing platform). This redirector then routed victims through the Keitaro Traffic Distribution System (TDS), a legitimate affiliate tracking tool weaponized to dynamically send users to the final malicious landing pages. The landing pages observed by Trend Micro suggest the threat actors’ motivation is financial gain.
Suggested Corrections:
IOCs are available here.
Actionable Suggested Correctionss:
- Block Malicious Domains: Immediately implement network and DNS-level blocking for the identified final payload domains: adrinal[.]com, barankinyserialxud[.]online, and archicad3d[.]com.
- Monitor Intermediary Routing: Monitor inbound traffic and email links routing through go[.]sparkpostmail1[.]com for anomalous or unsolicited redirects.
- Hunt for Campaign Indicators: Query SIEM/mail logs for the specific Jira-spoofed localized subject lines (e.g., mailMsgSubject:"%Заявка №" AND mailMsgSubject:"Необходимо Ваше подтверждение”).
- Deploy Advanced Email Filtering: Implement AI-powered, identity-aware email security solutions capable of analyzing behavioral anomalies in SaaS-generated notifications, rather than relying solely on SPF/DKIM validation.
- Reassess SaaS Trust Assumptions: Adjust security policies to apply zero-trust principles to third-party cloud-generated emails, recognizing that legitimate SaaS sender domains are actively being weaponized to bypass blocklists.
- Enhance Security Awareness Training: Educate employees, especially in corporate and government sectors, on the risks of interacting with unexpected SaaS notifications, emphasizing the need to verify the context of the notification via internal channels.
https://www.trendmicro.com/en_us/research/26/b/spam-campaign-abuses-atlassian-jira.html