Attackers are abusing notification systems on SaaS platforms such as GitHub and Jira to send phishing and spam emails, according to a technical analysis from Cisco Talos published on April 9, 2026. The report says the emails pass standard checks including SPF, DKIM and DMARC, and one observed peak day showed about 2.89% of emails sent from GitHub were tied to this abuse.
KEY FACTS
- Method Attackers use platform-generated notifications to make malicious emails look legitimate.
- GitHub A commit can trigger email notices to collaborators, with the scam text placed in the longer description.
- Jira The Invite Customers feature can send branded service desk emails that carry attacker content.
- Effect The messages are less likely to be blocked because they come from trusted infrastructure.
On GitHub, the attackers push a commit to an existing project to trigger automatic emails to collaborators. The short summary appears first in the message, which lets them use an attention-grabbing line before placing fake billing details or phishing links in the longer description.
On Jira, the attackers create a Service Management project, add malicious text to fields such as the Welcome Message or Project Description, and then use Invite Customers to send the email. Atlassian’s backend inserts the content into its own trusted template, producing a service desk notification with branded footer elements.
Because the messages are assembled by the platforms themselves, the emails can satisfy normal authentication checks and look expected in corporate inboxes. The report says that makes them less likely to be flagged by security gateways or blocked by employees.
Researchers also said the abuse works by separating the malicious intent from the underlying delivery system. The result is a phishing message that arrives with a level of trust that defenders are not always set up to challenge.
WHY IT MATTERS
The findings show how routine platform notifications can be turned into a delivery path for phishing while avoiding controls that rely on message origin. For organizations, the risk is that trusted SaaS alerts may reach users even when they contain attacker-controlled content.