Cybercriminals are now weaponizing the very tools that developers and IT teams trust the most. By abusing the automated notification features built into GitHub and Jira, threat actors are delivering convincing phishing emails that originate directly from those platforms\u2019 own servers.<\/a><\/p>\n What makes this campaign so dangerous is its simplicity. Traditional phishing relies on spoofed sender addresses or fake lookalike domains that security tools can often detect. <\/p>\n In this case, the emails come from verified infrastructure \u2014 real servers tied to GitHub and Atlassian, the company behind Jira. <\/p>\n Since these emails satisfy all standard authentication requirements, including SPF, DKIM, and DMARC, most security gateways have no technical grounds to block them.<\/a><\/p>\n Cisco Talos analysts tracked this growing trend<\/a> and published their findings on April 7, 2026. Their data shows that on February 17, 2026 \u2014 the peak day of activity \u2014 about 2.89% of all emails from GitHub\u2019s infrastructure were tied to this abuse. <\/p>\n Over a five-day window, roughly 1.20% of traffic from \u201cnoreply@github.com\u201d included an \u201cinvoice\u201d lure in the subject line.<\/a><\/p>\n Talos researchers refer to this method as the Platform-as-a-Proxy (PaaP) model. Attackers do not need to compromise any system or break into these platforms. <\/p>\n They simply use the existing features \u2014 repository commits, project invitations \u2014 as channels to push malicious content<\/a>. The platforms handle the delivery, complete with verified signatures and trusted branding.<\/a><\/p>\n In nearly all observed cases, the end goal is credential harvesting. Victims are lured into clicking fake billing alerts, fraudulent support numbers, or deceptive account warnings. <\/p>\n Once a user hands over login credentials, attackers gain an entry point that can lead to unauthorized access, account takeovers, and deeper network compromise.<\/a><\/p>\n On GitHub, the attack begins with creating a repository. The attacker then pushes a commit with message fields loaded with social engineering content. GitHub\u2019s commit interface has two text areas: a short mandatory summary line and a longer optional description. <\/p>\n The attacker places an urgent-sounding hook \u2014 such as a fake invoice or billing alert \u2014 in the summary, and fills the extended description with the full scam message, including fake phone numbers or fraudulent links. <\/p>\n When the commit is submitted, GitHub automatically notifies all collaborators via email, with the full message embedded in the notification body. <\/p>\n The resulting email appears as a standard GitHub notification. The raw email headers in\u00a0confirm the sending server as \u201cout-28.smtp.github.com\u201d \u2014 a legitimate GitHub mail server with IP \u201c192.30.252.211.\u201d <\/p>\n The DKIM signature carries \u201cd=github.com\u201d and passes all checks without raising any security flag.<\/p>\n The Jira approach uses a different mechanism. Attackers create a Jira Service Management<\/a> project, setting a fake name \u2014 such as \u201cArgenta\u201d \u2014 and embedding their phishing message inside the \u201cWelcome Message\u201d or \u201cProject Description\u201d field. <\/p>\n Using the \u201cInvite Customers\u201d feature, they submit the target\u2019s email address. Atlassian\u2019s backend then generates an automated invite email, wrapping the attacker\u2019s content inside its own signed and branded template. <\/p>\n The email arrives looking exactly like an official Jira system notification, complete with Atlassian\u2019s branding footer.<\/a><\/p>\n Cisco Talos recommends that organizations shift away from blindly trusting SaaS platform emails. <\/p>\n Security teams should integrate GitHub and Atlassian API audit logs<\/a> into a SIEM or SOAR system to flag unusual activity \u2014 such as mass user invitations or project creation from unfamiliar locations \u2014 before any phishing email is sent. <\/p>\n Any notification carrying financial or urgency-driven content from platforms like GitHub or Jira should be flagged for review, as that content conflicts with those tools\u2019 intended purpose. <\/p>\n For sensitive interactions, users should navigate directly to the official platform portal rather than clicking notification links. <\/p>\n Organizations are also encouraged to automate takedown reports to platform Trust and Safety teams to raise the operational cost for attackers.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Abuse GitHub and Jira Notifications to Deliver Phishing Through Trusted SaaS Channels<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Attack Works: GitHub and Jira Notification Pipelines<\/strong><\/h2>\n
![\"Email](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbRdDUwnrUsbvd1DMHPY8ftHJbolK69JOUkgeqXRO0QxNtpdSGjZVsV49FcRIon0CubJs4KGnxcW8b83Hj82pVpPnNJ6QnICR1NcuGG4-4fXPm_QwOprnkW_wAOq7eD6oL3VVvnsQodltdV3HvL5yOLggfkZJ91Jdcr-HhF7UL9C58DocmipWmJVKymz8\/s16000\/Email%2520header%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjv-6Oley7nwandVFDWBUduF4PhBWjRejPBcu_sV7S2olMCV27vsZXfaaoOkGfdyfVcC2IYca5-XqWWFc8kg_c-vKGPtABt5F23BbFZWrHhuATJIo0QwABZcm2y7TjXh9jmrjXcbLX9_6pdfWB23hAqtmRzjQsoyGvjYcWJagKGzNJVoJJAO8yZvdF6a2Y\/s16000\/The%2520body%2520of%2520the%2520message%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"Raw](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiXiuxDkZEsiOPgTkK5TGeUiSNZUdzoJwiYW0Lvh35DoJnsnw3lpP9vJaX8JVAL9b0ftpMWMj6MQw1LeLil_UFQVvBfdKmFnMYaHrtW3b-qX1kRMYbTJHT4lTYQ38gfj1rL7rSNttZ1jnhwsZGiNrJLXpE7ERE-aQpYOFvKcQyytM2xjcIPKBBQDqNB_ys\/s16000\/Raw%2520headers%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhiOuHmFTysmcQcHpHZzanKuuLInkzRTk9zWuPKKpBOzi3IEigM-7ySWAmS0PQQ4D-83GAJJgPORCO2XTADn0hEuzqORRWuCYwj2wKo9I4jf_RUbMAItFKajR0NMg-_m39W_aSuXfa55QqcETmc4VO3cEc7rc3XE050L8E2XtwYY9RjAtDRNbMd0nxVs1Y\/s16000\/The%2520body%2520of%2520the%2520message%2520and%2520the%2520footer%2520branding%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")