Increasing Phishing Threats: Exploiting GitHub and Jira Notification Systems
In recent analysis, it has been revealed that hackers are increasingly taking advantage of the built-in notification systems of GitHub and Jira to launch sophisticated phishing scams. This alarming trend has raised concerns among cybersecurity experts as the emails sent through these platforms appear entirely legitimate to users, making them susceptible to various cyber threats.
A critical aspect of this phishing activity is that the emails are dispatched from the official mail servers of these platforms. As a result, they easily bypass standard email security measures like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance). Consequently, traditional email gateways encounter significant challenges in blocking these deceptive messages.
The routing of these emails via the legitimate mail infrastructure of GitHub and Jira means that security products often classify them as trusted traffic originating from reputable domains. This, unfortunately, creates a false sense of security among users and organizational systems alike.
According to reports, the majority of these phishing campaigns are centered around credential harvesting. The attackers utilize the initial phishing attempt as a gateway to launch more serious attacks once they compromise their targets’ accounts. A notable instance occurred on February 17, 2026, when approximately 2.89% of all emails observed emanating from GitHub were linked to these malicious activities, shedding light on the scale of the abuse.
The Cisco Talos cybersecurity team has noted an uptick in spam and phishing activities propagated through notification pipelines in widely used SaaS collaboration tools, especially GitHub and Atlassian Jira. During a five-day observation window, a striking 1.20% of emails sent from a specific GitHub address carried "invoice" lures in their subject lines, indicating a targeted approach to phishing.
This type of attack employs an emerging strategy known as the “Platform-as-a-Proxy” (PaaP) model, which leverages legitimate Software as a Service (SaaS) platforms as delivery vehicles for malicious content. The emails are generated and signed off by GitHub or Jira, fulfilling authentication requirements and utilizing the established reputation of these trusted providers. This effectively obscures the attackers’ malevolent intent while providing their phishing communications with an unwarranted “seal of approval” that many security gateways do not question.
Hackers embed social engineering lures inside genuine workflow notifications, such as commit alerts or service desk invitations. Users, accustomed to receiving these types of notifications, are more likely to click on links—particularly if the content pertains to urgent matters like invoices or support issues. In GitHub’s specific case, attackers exploit the automated commit notification system, where they create repositories and push commits that contain malicious content disguised within standard commit fields. The summary field, which appears most prominently in email alerts, often alludes to billing or account-related crises, effectively acting as an initial hook to entice victims.
As for the content of the extended description field, it typically houses the bulk of the fraudulent material, including counterfeit billing statements, fake customer support numbers, or direct phishing links. Upon pushing a commit, GitHub triggers an automatic email to collaborators from a legitimate SMTP host such as "out-28.smtp.github.com,” complete with a valid DKIM signature from "d=github.com." The genuine structure and headers of these messages enable them to evade security filter mechanisms, landing inevitably in users’ inboxes.
On the Jira platform, attackers adopt a slightly different strategy by focusing on invitation and service desk workflows. They utilize configurable fields such as "Project Name," "Welcome Message," or "Project Description" to embed their phishing content. When Jira dispatches automated emails, the content injected into its trusted templates appears professional and authentic, further entrenching the likelihood of user interaction. Given the prevalence of Jira notifications in corporate environments, these emails often evade security filters and present phishing content under the guise of internal communication about helpdesk or project updates.
This troubling trend has unveiled a growing "trust paradox" in cybersecurity where organizations perceive emails from major SaaS platforms as inherently safe. To combat this alarming situation, cybersecurity defenders should implement more stringent identity checks on specific SaaS instances and sender identities permitted within their systems. Ingesting GitHub and Atlassian API logs into Security Information and Event Management (SIEM) tools can help detect unusual repository or project activity, thus allowing companies to profile typical business usage patterns. This, in turn, will enable the flagging of any urgent billing notifications from code or ticketing platforms that deviate from the norm.
Ultimately, the exploitation of GitHub for its robust developer reputation and Jira for its integral role in business processes afford attackers the ability to launder malicious content through these reputable platforms. Cisco Talos advocates a shift away from the traditional binary domain-level trust model towards a comprehensive Zero Trust strategy for SaaS notifications. By introducing additional scrutiny for high-risk communications and automating the removal of malicious repositories or Jira projects, organizations can impose higher costs on attackers and diminish the effectiveness of this burgeoning PaaP model.
In closing, as phishing tactics evolve to exploit established SaaS platforms, the onus is on organizations to bolster their defenses and instill a deeper understanding of risks associated with trusted communication channels.