Phishing Attacks Using GitHub and Jira Notifications: Security Alert

In the evolving landscape of cyber threats, the concept of trust has become a double-edged sword. Security teams have spent decades fortifying perimeters, only to find that the most potent phishing attacks of 2026 are not attempting to bypass these defenses—they are simply walking through the front door, wearing the digital identity of the platforms we trust most. Cisco Talos researchers have recently issued a stark warning regarding a surge in “Living off Trusted Services” (LoTS) attacks. This sophisticated methodology exploits the automated notification pipelines of enterprise staples like GitHub and Jira, fundamentally challenging our reliance on verified domains as a benchmark for safety.

The Mechanics of the “Platform-as-a-Proxy” Model

The core innovation—if it can be called that—of these LoTS attacks is a transition from spoofing trust to weaponizing it. In a traditional phishing campaign, attackers attempt to trick email security gateways by using look-alike domains (typosquatting) or attempting to bypass SPF, DKIM, and DMARC protocols. These efforts are often caught by modern reputation-based filters.

The LoTS model, or “Platform-as-a-Proxy” (PaaP), bypasses this entirely. Because the malicious phishing lures are transmitted directly through the legitimate mail delivery infrastructure of GitHub and Atlassian (the parent company of Jira), the emails satisfy all cryptographic authentication checks. To an email security appliance, the message is indistinguishable from a genuine project update or system alert. It carries the “seal of approval” of a trusted provider, effectively neutralizing the first and most critical gatekeepers of enterprise email security.

Exploiting GitHub: The Automated Commit Lure

GitHub’s notification architecture is designed to keep collaborators informed of repository activity, a feature inherently tied to developer workflow. Attackers leverage this by:

• Creating a project or repository on GitHub.
• Performing a “commit” where the commit summary or description field is populated with a social engineering hook (e.g., a fake job offer, urgent security warning, or malicious link).
• Triggering an automatic notification by mentioning or inviting a targeted user to the repository.

The recipient receives a perfectly formatted GitHub email. Because GitHub provides two text fields—a short summary and a longer description—attackers are adept at placing a concise, curiosity-inducing hook in the summary, while hiding the phishing payload or malicious link within the expanded description. On peak days, Talos has observed that a significant percentage of traffic originating from GitHub infrastructure has been associated with this type of abuse, turning a standard developer tool into a high-volume delivery mechanism.

Weaponizing Jira: Mimicking Enterprise Alerts

While GitHub is abused primarily for its developer reputation, Jira is weaponized for its position within the business-critical stack. Attackers exploit the “Invite Customers” feature within Jira Service Management to perform their attacks. The process is deceptively simple:

1. The attacker registers a new Jira account and initiates a new Service Management project with a professional, trustworthy-sounding name.
2. Malicious lures, such as fake billing alerts or urgent helpdesk requests, are injected into the “Welcome Message” or “Project Description” fields.
3. The attacker triggers the platform’s “Invite” functionality to send emails to target employees.

Atlassian’s backend then assembles these malicious inputs into its standard, cryptographically signed notification template. Employees, pre-conditioned to treat Jira alerts as high-priority business communications, are significantly more likely to engage with the content without the scrutiny they might apply to an external email.

Why Traditional Defenses Are Struggling

The success of these phishing attacks stems from “automation fatigue”—a cognitive bias where users are conditioned to reflexively trust system-generated alerts. When an email originates from `github.com` or `atlassian.net`, even seasoned IT staff may lower their guard. The technical “trust” validated by security gateways is misinterpreted as a “safety” guarantee regarding the content of the link itself.

Furthermore, these campaigns are notoriously difficult to attribute or block via standard URL reputation services. Attackers often use redirect chains—where a link in the notification leads to a URL shortener, then through a series of intermediate hops, before finally landing the user on a credential harvesting page. This obfuscation makes it nearly impossible for traditional security tools, which primarily evaluate the first hop or the reputation of the sender domain, to identify the malicious intent.

Strategic Mitigation and User Behavioral Shifts

Defending against an attack that uses the tools you rely on requires moving beyond perimeter-based controls. A layered defense strategy must incorporate both technical adjustments and a shift in user behavior.

Advanced Technical Controls

• Contextual Email Scanning: Organizations should move beyond checking SPF/DKIM to implement content-aware filtering that can inspect the body of emails, even those from trusted domains, for common phishing characteristics like urgent calls to action or suspicious redirect patterns.
• URL Rewriting and Sandboxing: Ensure that all links within incoming emails, including those from trusted SaaS platforms, are rewritten and opened in a secure, isolated, or sandboxed environment before they reach the end user.
• Credential Monitoring: Since these attacks are primarily aimed at harvesting credentials, enforce strict multi-factor authentication (MFA) across all corporate and third-party SaaS accounts. Hardware-backed security keys (FIDO2) are highly recommended to prevent man-in-the-middle phishing attempts.

The Human Factor: Behavioral Training

The most effective defense remains the “Verify, Don’t Trust” mentality. Organizations should train employees on the following behaviors:

• Direct Navigation: If you receive a notification alert from a service like GitHub or Jira, never click the links in the email. Instead, navigate manually to the platform’s web portal through your browser bookmark to check for legitimate activity.
• Verify the Source of Urgency: Be skeptical of any “urgent” or “required action” requests that originate from collaboration platforms, especially if they are unexpected.
• Reporting Procedures: Ensure there is a clear, simple path for employees to report suspicious notification emails to the security team. These reports are invaluable for identifying new campaign patterns and updating internal blocklists.

As we navigate the remainder of 2026, the rise of LoTS-based phishing attacks serves as a reminder that the perimeter of the enterprise is no longer a physical or logical boundary—it is wherever our employees interact with the tools of their trade. By recognizing that legitimate platforms can be turned into delivery vehicles for threats, organizations can better prepare to identify and neutralize these “trusted” incursions before they lead to catastrophic credential compromises.