Cybercriminals have launched extensive spam campaigns aimed at government agencies and investors by taking advantage of Atlassian Jira Cloud. From late December 2025 to late January 2026, these attacks exploited the platform's reliable email system, getting past filters thanks to a strong domain reputation. Using free trial accounts with randomly generated names, threat actors built disposable Jira Cloud instances hosted on authentic AWS infrastructure at IP 13.227.180.4.

By using only the atlassian.net sender reputation, they were able to mix malicious activity with legitimate Atlassian traffic without the need for custom domains or ownership verification. They avoided sending suspicious bulk-user invites that might alert targets by using Jira Automation rules to send carefully crafted emails through integrated platforms.

In order to enable anonymous, widespread delivery while passing SPF and DKIM checks that conventional filters trusted, recipients did not need to join projects. To increase engagement, the subject lines of emails were localized in English, French, German, Italian, Portuguese, and Russian. Setting up a test Jira instance (Source: trendmicro) Some Russian lures advertised gaming bonuses or confirmations such as "Application No.\random> Your confirmation is required," while others made references to rubles and exclusive investments.

Links routed through go.SparkPostMail1.com is a trustworthy email service, followed by Keitaro Traffic Distribution System, which leads to the last scam sites for investments and casinos. Automation rules can be created using Jira Kanban Board (Source: trendmicro). Jira-using companies in high-volume industries were among the targets, taking advantage of their familiarity with these notifications. Atlassian was informed beforehand by Trend Micro.

Compromise Indicator Indicators Indicator Type Description of Value 13.227.180.4 is the IP address. Spam Jira instances hosted on AWS IP Adrinal.com domain Spam emails with malicious redirects Barankinyserialxud.online is the domain. Investment scam landing page Archicad3D.com is the domain.

The ultimate scam destination Go, hostname.SparkPostMail1.com is an intermediary redirection service. Application Subject Line Random> You must confirm. Example of a Russian-localized lure The subject line There's a brand-new gaming opportunity. Casino bait in Italian and English Mitigation Steps Organizations should scan for anomalous Atlassian.net emails, especially with financial lures or unusual subjects, using AI-driven tools for behavioral analysis beyond SPF/DKIM.

Implement URL rewriting and redirection, and monitor patterns of trial account creation. Breakdown of targets by industry (Source: trendmicro) Reassess trust in SaaS notifications by treating them as potential threats, regardless of reputation.

Users of Atlassian can examine logs for misuse and implement more stringent automation controls. Real-time SaaS misuse detection is aided by sophisticated platforms like unified email security. Trend Micro claims that this strategy draws attention to the dangers of growing SaaS workflows and calls for stricter third-party email controls.

Trend Micro provides all the information and hunting queries.