Spam Campaign Abuses Atlassian Jira, Targets Government and Corporate Entities
Key takeaways
- Attackers abused Atlassian Cloud’s trusted domain for a spate of spam campaigns. The campaigns tried to leverage the domain name and reputation of this legitimate and well-known SaaS platform.
- Emails were tailored to target specific language groups, targeting English, French, German, Italian, Portuguese, and Russian speakers — including highly skilled Russian professionals living abroad.
- These campaigns not only distributed generic spam, but also specifically targeted sectors such as government and corporate entities.
- Keitaro Traffic Distribution System (TDS) powered redirects, channeling targets to dubious investment schemes and online casinos, indicating that financial gain was likely the primary motive behind these campaigns.
- Organizations using Atlassian Jira were prime targets, especially those with high email volume and have a heavy reliance on collaboration tools, environments where Jira notifications are routinely trusted.
- Enterprises should deploy advanced email security solutions such as TrendAI Vision One™ Email and Collaboration Security, which provide layered detection and identity-aware controls to better detect and block phishing and abuse of trusted SaaS platforms.
Threat actors used Atlassian Jira Cloud and its connected email system to run automated spam campaigns, effectively bypassing traditional email security by abusing the strong domain reputation of Atlassian Jira Cloud products. The campaigns were active from late December 2025 through late January 2026, during which organizations and individuals worldwide — particularly English, French, German, Italian, Portuguese, and Russian–speaking targets — received spam emails from legitimate-looking Atlassian Jira Cloud addresses.
In addition, campaigns did not appear to generate generic spam. They also targeted specific sectors, most notably government and corporate entities. The emails redirected targets to pages on investment scams and online casino landing sites, suggesting that actors were likely motivated by financial gain.
This activity exemplifies how threat actors can abuse legitimate tools for malicious activities, this time using software-as-a-service (SaaS) platforms to deliver spam or spear-phishing emails. By operating through established and reputable cloud services with strong domain reputations, attackers are able to bypass blocklists and exploit inherent trust in enterprise tools. Traditional email security places higher trust on notifications from SaaS providers. These campaigns piggyback on this trust to exploit a well-known and legitimate SaaS provider. In addition, the built-in compliance with authentication checks like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) further reduced the likelihood of detection.
The campaign also demonstrates a high degree of automation: Threat actors appear to rapidly create multiple Atlassian instances, likely using free or trial Atlassian accounts, to target specific industry sectors.
As SaaS platforms continue to expand their email-driven workflows, these attacks reveal the need to reassess long-standing trust assumptions and tighten controls around third-party cloud-generated email. In this blog entry, we break down the attack in detail to identify where defenses would be the most effective against similar tactics.
We shared this information in advance with Atlassian’s security team to report the platform abuse.
In this section, we examine how the campaign was executed end-to-end, reproducing key steps to validate our assumptions about the attackers’ methods.
Threat actors began by creating Atlassian Cloud accounts using randomized naming conventions, enabling them to generate disposable Jira Cloud instances at scale. Our analysis showed that these instances resolved to AWS IP (13[.]227[.]180[.]4), which also served many legitimate Atlassian Cloud deployments. This strongly suggests that the attack used legitimate Atlassian Cloud infrastructure, not compromised servers.
The spam-related instances appeared to have been provisioned without any domain ownership verification. We found no registered domains that corresponded with the instance names. Therefore, the registered domains did not resemble the spoofed company names. This indicates that the threat actors were not attempting to reinforce legitimacy through domain registration but instead relied on the inherent trust associated with Atlassian-generated system emails.
Further review revealed how setting up an Atlassian trial account is a straightforward process, meaning it lowered the barrier for threat actors to repeatedly create new instances.
About Author
