Cybercriminals Exploit Atlassian Cloud to Launch Sophisticated Spam Campaigns
In a recent development, cybercriminals have been found exploiting Atlassian Cloud’s trusted infrastructure to orchestrate advanced spam campaigns. By manipulating legitimate features within the platform, these attackers effectively circumvent traditional email security measures, reaching high-value targets with deceptive messages. The primary objective of this campaign is to redirect recipients to fraudulent investment schemes, leveraging the credibility associated with reputable software-as-a-service (SaaS) providers to enhance the plausibility of their scams.
Targeted Demographics and Languages
This campaign exhibits a high degree of specificity, targeting government and corporate entities across diverse regions. The attackers have tailored their messages to various language groups, including English, French, German, Italian, Portuguese, and Russian-speaking demographics. Such customization increases the likelihood of engagement, as recipients are more inclined to trust communications in their native language. The end goal is to funnel traffic to malicious landing pages via Traffic Distribution Systems (TDS) like Keitaro, thereby generating revenue through scams and illicit advertising.
Timeline and Detection Challenges
Trend Micro researchers identified a surge in this malicious activity between late December 2025 and January 2026. By exploiting established cloud services with strong domain reputations, the attackers ensure their emails pass standard authentication checks, such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). This tactic significantly complicates detection for conventional security filters, which often prioritize notifications from reputable SaaS platforms.
Automation and Scalability
The campaign demonstrates a high level of automation, enabling threat actors to rapidly scale their operations. By creating multiple Atlassian instances, they can distribute their messages widely. Even if one instance is blocked, others continue to function, ensuring the persistence of the campaign. This resilience underscores the evolving tactics of modern cybercriminals, who weaponize legitimate tools to conduct malicious activities without triggering immediate alarms.
Mechanism of Infrastructure Abuse
The core of this campaign lies in the ease with which threat actors can provision disposable infrastructure to facilitate their attacks. Attackers initiate the process by creating Atlassian Cloud accounts using randomized naming conventions, enabling them to generate numerous Jira Cloud instances without requiring domain ownership verification. These instances resolve to legitimate AWS IP addresses shared by valid deployments, further masking the malicious nature of the activity. Attackers rely on the inherent trust of Atlassian-generated emails rather than reinforcing legitimacy through domain registration.
Once the infrastructure is in place, the attackers utilize Jira Automation to construct and send crafted emails. This method allows them to deliver messages directly through Atlassian’s integrated email system, avoiding the need for their own mail servers. The recipients do not need to be listed users within the instance, permitting widespread distribution without exposing the attacker’s true identity or infrastructure.
Recommendations for Organizations
Organizations should reassess their trust assumptions regarding third-party cloud-generated emails to prevent such abuses. Security teams are advised to implement stringent verification processes for emails originating from SaaS platforms, even those with established reputations. Additionally, monitoring for unusual patterns in email traffic and conducting regular security audits can help identify and mitigate potential threats.
By understanding and addressing these sophisticated tactics, organizations can better protect themselves against evolving cyber threats that exploit trusted platforms for malicious purposes.
