Threat actors have leveraged legitimate email notification feature of Atlassian Jira to deliver localized scam emails at scale.
The emails
From late December 2025 through late January 2026, victims were targeted with spam emails from legitimate-looking Atlassian Jira Cloud addresses.
Organizations already using Jira were specifically targeted: the attackers selected domains known to have active Jira instances, which means recipients would be used to receiving Jira notifications.
The subject lines contained promises of gifts and bonuses, offers of special gaming opportunities, or posed as confirmation emails that required the recipients’ attention.
“In some cases, the threat actors used standard Jira-generated subject lines, which are less effective in enticing recipients to click on the links associated with online casinos and dubious investment schemes. It is unclear why threat actors used standard Jira subject lines; it might just have been the result of human error or misconfigured automation rules,” the researchers shared.
The goal was to get recipients to open the emails and follow the provided links, which would take them through a series of redirections and then finally lead them to pages peddling investment scams and online casino landing sites.
The emails were tailored to target English, French, German, Italian, Portuguese, and Russian speakers.
“In some cases, target lists included highly skilled individuals born in Russia but who are currently living and working abroad, suggesting the campaign had targeted goals, even though financial gain still appeared to be the most prominent objective,” Trend Micro noted.
Abuse of a trusted SaaS platform
To mount the campaign, the spammers set up Atlassian trial accounts and used disposable Jira Cloud instances provisioned without any domain ownership verification, and then used built-in automation features to send the messages.
Because the emails were sent through Atlassian’s own infrastructure, they carried valid authentication (SPF and DKIM), signaling trustworthiness to email security filters AND users.
From the victim’s perspective, the emails would look like a normal Jira notification from a real Jira address.
“Organizations using Atlassian Jira were prime targets, especially those with high email volume and have a heavy reliance on collaboration tools, environments where Jira notifications are routinely trusted,” the researchers noted.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
