Attackers Abuse GitHub and Jira Notification Systems to Bypass Email Security Filters

Threat actors are increasingly leveraging the inherent trust of major SaaS platforms to deliver phishing lures directly through legitimate system-generated alerts.

SAN FRANCISCO, CA — Security researchers have identified a sophisticated shift in phishing tactics, where attackers are bypassing traditional email gateways by abusing the automated notification systems of GitHub and Jira. By exploiting "comment" and "mention" features within these trusted developer platforms, hackers are able to send malicious links via legitimate @github.com or @atlassian.net email addresses, making the lures nearly indistinguishable from genuine project updates.

The campaign, first detailed by Help Net Security and Cybersecurity News, highlights a growing trend of "Living off the Trust" (LotT), where attackers use the reputation of massive SaaS providers to shield their malicious intent from automated security scanners.

The Mechanics of the "Notification Phish"

The attack does not require a breach of the platforms themselves. Instead, it exploits the standard collaborative workflows designed into SaaS environments:

1. Account Creation: Attackers create free or trial accounts on GitHub or Jira.
2. Target Selection: Using scraped data or public repository lists, they identify target users.
3. The Trigger: The attacker creates a public repository or a Jira ticket and "mentions" the victim’s username in a comment containing a malicious URL or a fake "Security Update" notice.
4. The Delivery: The SaaS platform automatically generates a notification email. Because the email originates from the platform’s verified IP and domain, it passes SPF, DKIM, and DMARC checks, landing directly in the victim’s primary inbox.

Why Conventional Defense Fails

Traditional Secure Email Gateways (SEGs) are designed to flag suspicious sender domains or poorly configured mail servers. When a phishing link arrives via a notification from GitHub or Atlassian, the SEG recognizes the sender as a "Trusted Source."

Furthermore, these notifications often trigger push alerts on mobile devices or Slack integrations, creating a sense of urgency that bypasses the user's typical skepticism. According to Cryptika, many of the recent lures have revolved around fake "CVE Vulnerability Alerts" or "Urgent Source Code Audits," specifically designed to trick developers and IT managers into clicking through to a credential harvesting page.

The CyberSignal Analysis

Signal 01 — The Professionalization of "Shadow Phishing"

This isn't just a clever trick; it is a tactical evolution. By moving the "point of attack" from a cold email to a platform notification, hackers are exploiting the Account Takeover (ATO) of the user’s workflow rather than their credentials. For organizations, this means that even a "clean" email environment is vulnerable to external platform abuse.

Signal 02 — The DevSecOps Blind Spot

Developers are trained to react quickly to GitHub alerts. This conditioned response is exactly what attackers are weaponizing. This incident underscores why Zero Trust Security models must extend to internal SaaS notifications. Organizations should consider disabling public mentions from unverified accounts or utilizing advanced behavioral analysis tools that can scan the content of an email, even if the sender is a trusted giant like Atlassian.

Analyst Note

This incident underscores a shift toward "quiet" initial access. The extended dwell time suggests a disciplined campaign targeting high-value workstations where traditional browser exploits often fail. This follows a pattern seen in the BPO gateway attacks, where threat actors bypass perimeters via trusted, "infrastructure-adjacent" software to maintain long-term surveillance.

Recommendation: Push Acrobat DC version 26.001.20052 immediately. If delayed, use GPOs to force "App Container" isolation or temporarily route PDF viewing through a secure browser-based sandbox.

Sources