{"id":24004,"date":"2026-04-07T15:32:33","date_gmt":"2026-04-07T08:32:33","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=24004"},"modified":"2026-04-07T16:48:14","modified_gmt":"2026-04-07T09:48:14","slug":"atlassian-jira-emerging-security-risks-in-the-cloud-ecosystem-atlassian-jira-emerging-security-risks-in-cloud-platforms","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/atlassian-jira-emerging-security-risks-in-the-cloud-ecosystem-atlassian-jira-emerging-security-risks-in-cloud-platforms\/","title":{"rendered":"Atlassian Jira: Emerging security risks in the Cloud Ecosystem (Atlassian Jira: Emerging security risks in Cloud platforms)"},"content":{"rendered":"

In recent years, Software-as-a-Service (SaaS) platforms have increasingly become attractive targets for cybercriminals. A sophisticated spam campaign has recently emerged, exploiting Atlassian Jira Cloud to distribute phishing emails targeting government agencies and enterprises. This campaign leverages the inherent trust placed in widely used collaboration tools, highlighting how legitimate platform features can be abused to bypass traditional email security defenses.<\/span><\/p>\n

Detailed findings<\/b><\/span><\/h2>\n

Attackers initiate the campaign by creating Atlassian Cloud accounts with randomly generated identities, enabling them to spin up multiple Jira Cloud trial instances without requiring domain own<\/span><\/span>ership verification.<\/span><\/span>\"B748a18d<\/a><\/span><\/span><\/span><\/p>\n

This approach allows attackers to operate with minimal traceability. Instead of relying on bulk user invitations via CSV\u2014an action that could raise suspicion\u2014they<\/span> exploit the automation capabilities of Jira Automation capabilities<\/span> (exploit the capabilities of Jira Automation) and distribute customized phishing emails.<\/span><\/span><\/p>\n

\"E1a2047a<\/a><\/span><\/p>\n

These emails are sent from the <\/span>atlassian.net<\/span><\/a> domain\u2014a highly reputable source that strictly complies with authentication standards such as SPF and DKIM\u2014allowing them to bypass spam filters in most email systems with ease. The content is carefully localized and tailored to specific targets, such a<\/span>s highly skilled individuals of Russian origin living and working abroad<\/span><\/span><\/p>\n

Victims are typically lured to phishing websites linked to fraudulent investment schemes or online casinos. In many cases, attackers leverage Keitaro TDS (Traffic Direction System) to intelligently route traffic, ensuring targets are redirected to the most convincing malicious destinations.<\/span><\/p>\n

The campaign ran from late December 2025 through the end of January 2026, primarily targeting organizations that rely heavily on Jira and handle email communications. While financial gain appears to be the primary objective, the level of targeting suggests that additional motives may be at play.<\/span><\/p>\n

Most email security systems rely heavily on sender-based evaluation\u2014checking SPF, DKIM, and DNS reputation to classify spam or phishing attempts. However, this campaign exposes critical weaknesses in that approach:<\/span><\/p>\n