When Trusted SaaS Platforms Become the Delivery Vehicle for Spam
Feb 20, 2026
In early 2026, security researchers uncovered a campaign that used Atlassian Jira Cloud to distribute targeted spam to government and corporate organizations. The case is a good reminder of something many teams still underestimate: attackers don’t always break in. Sometimes, they simply sign up.
This post breaks down how this kind of campaign works, why it’s effective, and what organizations can do about it.
The Big Idea: Abuse of Trust, Not Exploitation of a Vulnerability
There was no traditional “hack” involved.
Instead, threat actors:
- Created legitimate Atlassian Cloud trial instances
- Used built-in automation and email capabilities
- Sent messages from real atlassian.net infrastructure
- Leveraged valid SPF and DKIM authentication
Because the emails came from a trusted SaaS provider with a strong domain reputation, many security controls treated them as low risk.
That’s the core issue: security systems often assume SaaS-generated email is trustworthy by default.
How the Campaign Worked
1. Infrastructure Setup Using Free SaaS Accounts
The attackers created multiple Jira Cloud instances using free or trial accounts. This process is fast and requires minimal validation.
Key characteristics:
- Instances hosted on legitimate Atlassian Cloud infrastructure
- No spoofed domains needed
- No compromised servers involved
- Disposable environments that could be recreated quickly
Because everything ran inside official Atlassian infrastructure, the outgoing emails inherited the platform’s reputation and authentication setup.
2. Automation Instead of Manual Spam
Rather than bulk-adding users (which would trigger obvious Jira notifications), the attackers used Jira Automation rules.
This allowed them to:
- Generate custom email content
- Send messages to external recipients
- Avoid requiring the recipient to be a Jira user
- Hide obvious Jira references in the message body
This is a clever pivot: using collaboration tooling as an email delivery platform.
3. Highly Targeted Recipients
This was not generic “spray and pray” spam. The campaign showed signs of deliberate targeting:
- Government and corporate entities
- Organizations already using Atlassian tools
- Recipients segmented by language (English, French, German, Italian, Portuguese, and Russian)
That level of personalization improves click-through rates and makes the messages feel legitimate.
4. Why the Emails Passed Security Checks
Two main technical reasons:
- Trusted Sender Domain: Emails originated from atlassian.net, a domain with strong historical reputation.
- Valid Authentication: Messages passed SPF and DKIM checks.
Many email gateways give implicit trust to well-known SaaS domains, especially those commonly used in enterprise workflows.
5. Redirect Infrastructure and Monetization
Once clicked, links did not go directly to obvious scam pages. Instead, they passed through email delivery redirect services and Traffic Distribution Systems (TDS), such as Keitaro, to reach final landing pages promoting investment scams or online casinos.
Why Organizations Using Jira Were Prime Targets
Many targeted organizations already had active Atlassian environments. That matters because:
- Employees regularly receive Jira notifications
- Jira emails are routine and expected
- High email volume reduces scrutiny
- Collaboration-heavy environments normalize automation alerts
Attackers understand that psychology.
What This Campaign Teaches Us
1. SaaS Platforms Are Now Attack Infrastructure
Cloud services are no longer just targets. They are delivery mechanisms. Attackers increasingly abuse trial accounts and leverage built-in automation.
2. Authentication Is Not Enough
SPF and DKIM confirm authorized senders and integrity, but they do not confirm intent or content legitimacy. Passing authentication checks does not equal safety.
3. Domain Reputation Is a Double-Edged Sword
Implicit trust in major SaaS providers can be exploited. Behavioral analysis matters more than domain reputation alone.
Practical Defensive Measures
Strengthen Email Controls
- Inspect SaaS-generated email for anomalous patterns
- Flag unusual automation-based messages
- Monitor for localization mismatches or unexpected language targeting
- Analyze embedded redirects, not just sender domains
Apply Zero-Trust Thinking to SaaS
Treat cloud-generated email as authenticated but not automatically trusted. Require layered validation for urgency-driven or financial lures.
Monitor for Trial Account Abuse
Track abnormal outbound email behavior from SaaS tenants and work with vendors to report abuse.
Improve User Awareness
Train employees to verify unexpected notifications and inspect URLs before clicking. Users should learn that “comes from a trusted platform” does not mean “safe.”
The Bigger Trend
As organizations move deeper into SaaS ecosystems, security models must evolve from static trust to continuous validation. Trust relationships are the new attack surface.