Phishers Sneak Through Using GitHub and Jira’s Own Mail Delivery Infrastructure

The rise of software‑as‑a‑service has introduced a subtle but potent attack surface: platform‑generated notifications. Unlike typical phishing emails that rely on spoofed domains, these messages are dispatched from the provider’s own infrastructure, automatically inheriting valid SPF, DKIM and DMARC records. This technical legitimacy strips away the primary filters that most organizations depend on, allowing malicious payloads to land directly in inboxes without triggering alerts. As SaaS adoption accelerates, threat actors are increasingly looking for ways to weaponize built‑in communication channels.

GitHub and Atlassian Jira illustrate how the abuse works in practice. On GitHub, attackers push a commit with a crafted short summary that becomes the headline of the notification email, while the longer description carries the phishing lure—often fake billing notices or credential‑stealing links. Researchers observed that on a single peak day, nearly three percent of all GitHub notification traffic was tied to this scheme. Jira’s “Invite Customers” workflow is similarly compromised: malicious actors create a service‑desk project, embed harmful content in the welcome message or description, and then use the platform’s trusted email template to deliver the phishing message. The Atlassian branding and signed templates further reduce the likelihood of detection, making these emails appear routine to end users.

Defending against this vector requires a shift from identity‑based to behavior‑based security controls. Organizations should audit SaaS notification settings, enforce least‑privilege access for repository commits and project creation, and deploy email gateways that inspect content anomalies rather than just authentication headers. User education remains critical; employees need to recognize that even messages from reputable services can be weaponized. Finally, integrating threat‑intelligence feeds that flag known abuse patterns can help security operations teams respond faster, preserving the integrity of both SaaS platforms and corporate inboxes.