Phishers Exploit GitHub and Jira Notification Systems to Bypass Email Authentication
What Happened — Attackers are leveraging the built‑in notification engines of SaaS platforms GitHub and Atlassian Jira to send phishing and spam emails that pass SPF, DKIM and DMARC checks. By inserting malicious content into repository commit summaries or Jira project fields, the emails appear to originate from the trusted platforms themselves.
Why It Matters for TPRM —
- Trusted third‑party SaaS notifications can become a covert delivery channel for credential‑stealing attacks.
- Traditional email‑gateway controls (SPF/DKIM/DMARC) are ineffective against this abuse, increasing the risk of successful phishing across the supply chain.
- Organizations that rely on GitHub or Jira for collaboration must reassess vendor‑side email security controls and user‑training programs.
Who Is Affected — Technology / SaaS vendors, their enterprise customers, development teams, IT service‑desk users, and any organization that integrates GitHub or Jira into its workflow.
Recommended Actions —
- Review the notification‑system configurations of GitHub, Jira, and any similar SaaS tools used by your vendors.
- Enforce strict content‑filtering on inbound emails, even when they pass authentication, using URL‑reputation and attachment scanning.
- Conduct phishing‑awareness training that highlights “trusted‑source” phishing scenarios.
- Engage vendors to implement additional anti‑abuse controls (e.g., rate‑limiting, content sanitisation) on their notification APIs.
Technical Notes — Attack vector: PHISHING via SaaS‑generated emails; no known CVE. The abuse exploits legitimate platform‑generated messages, embedding malicious links or fake billing details in commit descriptions (GitHub) or Jira “Invite Customers” fields. Observed peak‑day abuse rate: ~2.89 % of GitHub‑sent emails. Source: Help Net Security