“`html
Cybercriminals have initiated a refined spam initiative by utilizing the reliable infrastructure provided by Atlassian Cloud.
By exploiting genuine features within the platform, assailants efficiently circumvent conventional email security measures to connect with high-value individuals.
This initiative aims to mislead users into fraudulent investment operations, taking advantage of the inherent credibility associated with reputable software-as-a-service providers to trick recipients.
The assaults are meticulously focused on government and corporate organizations in diverse regions, encompassing English, French, German, Italian, Portuguese, and Russian-speaking populations.
Rather than generic spam, these communications are customized for particular linguistic communities. The primary objective is to drive traffic to harmful landing sites via Keitaro TDS, producing income through scams and unlawful advertising.
Trend Micro analysts discovered that this activity gained prominence between late December 2025 and January 2026.
By functioning through established cloud services with strong domain reputations, attackers ascertain their messages pass standard authentication assessments like Sender Policy Framework and DomainKeys Identified Mail.
This significantly complicates detection for traditional security filters, which typically favor alerts from recognized SaaS platforms.
The initiative illustrates a significant level of automation, permitting threat actors to swiftly expand their operations.
They establish numerous Atlassian instances to disseminate their messages, ensuring that even if one instance is blocked, others remain operational.
.webp)
This resilience underscores the advancing strategies of contemporary cybercriminals who exploit legitimate instruments to conduct malicious activities without triggering immediate alerts.
Mechanism of Infrastructure Abuse
The foundation of this initiative lies in the simplicity with which threat actors can provision disposable infrastructure to execute their assaults.
Perpetrators commence the process by generating Atlassian Cloud accounts utilizing randomized naming conventions, enabling them to create numerous Jira Cloud instances without needing domain ownership confirmation.
.webp)
These instances resolve to legitimate AWS IP addresses shared by valid deployments, further concealing the nefarious nature of the activity. Perpetrators depend on the inherent trust of Atlassian-generated emails instead of reinforcing authenticity through domain registration.
Once the infrastructure is established, the attackers leverage Jira Automation to construct and distribute tailored emails.
.webp)
This technique enables them to send communications directly through Atlassian’s integrated email system, eliminating the necessity for their own mail servers.
The recipients do not need to be registered users within the instance, allowing for broad dissemination without revealing the attacker’s true identity or infrastructure.
.webp)
Organizations must reevaluate their trust assumptions regarding emails generated by third-party clouds to avert such exploits. Security teams are urged to implement advanced email security measures that provide layered detection and identity-aware controls.
These precautions are vital to identify and prevent phishing attempts that exploit trusted SaaS platforms. Additionally, vigilance for indicators of compromise, such as specific URL patterns and redirect chains, can assist in effectively mitigating these threats.
“`