Using Atlassian Cloud's reliable infrastructure, cybercriminals have started a sophisticated spam campaign. Attackers are successfully evading conventional email security measures in order to reach valuable targets by abusing the platform's legitimate features. This campaign uses the natural trust that comes with reputable software-as-a-service providers to trick recipients by diverting users to fraudulent investment schemes.

The attacks are extremely focused, targeting government and corporate organizations in a number of different regions, including those that speak Russian, English, French, German, Italian, and Portuguese. These messages are customized for particular language groups rather than being generic spam. The ultimate objective is to use Keitaro TDS to direct traffic to malicious landing pages in order to make money through fraud and illegal advertising.

Researchers from Trend Micro found that between late December 2025 and January 2026, this activity peaked. The attackers make sure their emails pass common authentication checks like Sender Policy Framework and DomainKeys Identified Mail by using well-known cloud services with solid domain reputations. For traditional security filters, which usually give priority to notifications from reliable SaaS platforms, this makes detection much more difficult.

Because of the campaign's high degree of automation, threat actors are able to expand their operations quickly. To disperse their messages, they set up several Atlassian instances, so that even in the event that one instance is blocked, the others will still be able to operate.

One of the spam campaign's last landing pages (Source: Trend Micro) This adaptability demonstrates the changing strategies of contemporary cybercriminals who use trustworthy tools as weapons to carry out nefarious actions without setting off instant alarms. How Infrastructure Abuse Occurs The ease with which threat actors can set up disposable infrastructure to support their attacks is the fundamental component of this campaign. In order to create a large number of Jira Cloud instances without requiring domain ownership verification, attackers first create Atlassian Cloud accounts using randomized naming conventions.

Setting up a test Jira instance (Source: Trend Micro) These instances further conceal the malicious nature of the activity by resolving to authentic AWS IP addresses shared by legitimate deployments.

Instead of using domain registration to bolster legitimacy, attackers rely on the inherent trust of emails generated by Atlassian. After setting up the infrastructure, the attackers create and send carefully crafted emails using Jira Automation. Automation rules can be created using Jira Kanban Board (Source: Trend Micro).

This approach eliminates the need for their own mail servers by enabling them to send messages straight through Atlassian's integrated email system. Widespread distribution is possible without disclosing the attacker's real identity or infrastructure because the recipients do not need to be listed users in the instance. Targets broken down by industry (Source: Trend Micro) To stop such misuses, organizations should reevaluate their presumptions about the reliability of emails generated by third parties using the cloud.

It is recommended that security teams implement sophisticated email security solutions with identity-aware controls and layered detection. To detect and stop phishing attempts that take advantage of reliable SaaS platforms, these steps are crucial. Furthermore, keeping an eye out for signs of compromise, like particular URL patterns and redirect chains, can aid in successfully reducing these risks.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.