Cybersecurity researchers are warning about a new wave of phishing attacks where threat actors are abusing trusted platforms like GitHub and Atlassian’s Jira to deliver malicious emails that easily bypass traditional security checks. According to findings from Cisco Talos, attackers are leveraging these platforms’ automated notification systems to send phishing lures that appear completely legitimate to enterprise email filters.
Instead of sending emails from their own infrastructure, attackers are using a technique known as Platform-as-a-Proxy (PaaP). In this model, the phishing emails are generated directly by GitHub or Jira systems, meaning they come from trusted servers and pass authentication protocols like SPF, DKIM, and DMARC without issue. Because these messages carry the reputation of legitimate SaaS platforms, security gateways often treat them as safe, allowing malicious content to slip through unnoticed.
What makes this attack particularly dangerous is how it blends social engineering with trusted communication channels. The phishing content is embedded within real notification emails, such as repository invites or project updates, making it difficult for users to distinguish between genuine and malicious messages. This effectively gives attackers a built-in layer of trust that traditional email security tools are not designed to question.
Experts highlight that this technique challenges long-standing assumptions in email security. Authentication protocols like SPF, DKIM, and DMARC only verify that the email was sent by a legitimate server—not whether the intent behind the message is safe. As a result, organizations must rethink their approach and shift toward identity- and behavior-based validation rather than relying solely on domain trust.
To counter these threats, security teams are encouraged to implement stricter controls, such as validating whether notifications originate from authorized GitHub repositories or Jira instances within the organization. Monitoring SaaS activity logs through SIEM or SOAR platforms can also help detect unusual behaviors, such as suspicious project creation, unexpected invitations, or login attempts from unusual locations.
Additionally, experts recommend introducing friction into sensitive workflows triggered by such notifications. For example, users may be required to verify actions through official platforms instead of clicking email links or complete additional authentication steps before proceeding. Combined with faster reporting and takedown processes, these measures can help reduce the effectiveness of PaaP-based phishing campaigns.
This emerging threat highlights a critical shift in the cybersecurity landscape. As attackers increasingly weaponize trusted platforms, organizations must evolve their defenses to focus not just on where emails come from, but on the context and intent behind them.
Recommended Cyber Technology News :
- Booking.com Warns of Cyberattack and Data Breach Risk
- OpenText Expands AI Data Solutions to AWS European Sovereign Cloud
- Check Point Introduces Perth Data Residency Instance for Workplace Security SASE
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
