GitHub and Jira Notification Systems Exploited for Phishing Attacks

Severity: High (Score: 67.5)

Sources: Gbhackers, Scworld

Summary

Cybercriminals have exploited GitHub and Atlassian Jira's notification systems to send phishing emails that appear legitimate. These emails bypass standard security checks such as SPF, DKIM, and DMARC because they originate from the platforms' own mail servers. Attackers have specifically targeted GitHub's automated commit notifications, crafting malicious commits that trigger phishing emails related to billing issues. Similarly, Jira's invitation and service desk workflows have been manipulated to inject phishing content into trusted templates, leading to the distribution of seemingly authentic messages. Organizations using these platforms are urged to enhance identity verification measures and adopt a zero-trust approach for SaaS notifications. The ongoing exploitation poses a significant risk to users and organizations relying on these collaboration tools. Key Points: • Phishing emails are sent from GitHub and Jira, evading traditional security filters. • Attackers exploit automated notifications related to commits and service desk workflows. • Organizations are advised to implement stronger identity verification and zero-trust strategies.

Key Entities

• Phishing (attack_type)
• Atlassian Jira (platform)
• GitHub (platform)
• JIRA (platform)
• T1566.002 - Spearphishing Link (mitre_attack)
• T1566 - Phishing (mitre_attack)