GitHub and Jira Phishing Campaign Bypasses Standard Email Security Gateways

A new GitHub and Jira phishing campaign is successfully bypassing modern email security gateways by hijacking the legitimate notification infrastructure of these trusted SaaS platforms. According to researchers at Cisco Talos, attackers are exploiting built-in features to deliver malicious payloads with a cryptographic seal of approval that neutralizes standard authentication protocols like SPF, DKIM, and DMARC. For IT administrators and corporate employees, this means highly convincing spam and phishing links are landing directly in primary inboxes without triggering security flags.

By decoupling their malicious intent from their own technical infrastructure, threat actors are weaponizing the very tools developers and project managers rely on daily. Because the emails are dispatched directly from GitHub and Atlassian servers, they satisfy all standard email authentication requirements. This allows attackers to deliver phishing content that few security gateways are configured to challenge.

On GitHub, attackers are manipulating the platform's repository activity notification system to deliver their payloads. When a user pushes a commit to an existing project, GitHub automatically generates an email notification to all collaborators. Because the content is generated by the platform's own system, it easily avoids traditional security flags.

The attackers exploit the two text fields provided during a commit: the short summary and the longer description. They craft a convincing, attention-grabbing message in the short summary, which appears first in the email. The actual malicious payload, such as fake billing details or phishing links, is hidden within the longer description.

Cisco Talos noted that this method has seen significant adoption among threat actors. On one observed peak day, nearly 2.89% of all emails sent from GitHub were linked to this specific type of abuse.

The Jira exploit relies on the platform's Invite Customers feature rather than repository activity. Attackers register a new Jira account and create a Service Management project with a legitimate-sounding name. They then inject their malicious content, such as fake security alerts, into the Welcome Message or Project Description fields.

Using the built-in invitation tool, the attackers enter the victims' email addresses. Atlassian's backend automatically assembles the email, injecting the attacker's text into its trusted, cryptographically signed template. The result is a professionally formatted Service Desk notification complete with Atlassian branding.

Because the malicious message is sent within Atlassian's own templates, it is highly unlikely to be flagged by email security solutions. Furthermore, Jira notifications are expected in corporate environments and are rarely blocked by internal policies.

Since these attacks bypass traditional email gateways, organizations must adapt their defensive strategies to catch malicious payloads hidden within legitimate SaaS traffic.

1. Train employees on context: Instruct staff to verify the actual links and context of GitHub commits or Jira invitations, even if the sender address is legitimate.
2. Monitor for unusual project names: Security teams should look for unexpected Jira Service Management project invitations or GitHub repository additions from unknown external users.
3. Implement strict URL filtering: Since the email itself passes SPF and DKIM, endpoint protection and web gateways must aggressively scan and block the destination URLs contained within the message body.

This GitHub and Jira phishing tactic highlights a critical blind spot in modern cybersecurity: the over-reliance on domain reputation. When security gateways blindly trust infrastructure from tech giants, attackers will naturally pivot to using those platforms as delivery mechanisms. The fact that nearly 3% of GitHub's email traffic on a peak day was malicious is a staggering metric that proves the efficiency of this method.

Moving forward, SaaS providers like Atlassian and Microsoft will need to implement stricter internal content scanning for outbound notifications, rather than relying solely on the recipient's email gateway to catch the threat. Until then, zero-trust principles must be applied not just to networks, but to the content of every email, regardless of its origin.