Attackers are abusing notification systems in Atlassian’s Jira and other SaaS platforms to distribute phishing and spam. Security researchers at Cisco Talos reported the vulnerability on April 9, 2026.
Emails originate from the platform’s own infrastructure. This origin allows messages to bypass SPF, DKIM, and DMARC security authentications.
The Jira exploit specifically targets the "Invite Customers" feature. Attackers place malicious content into project welcome messages or description fields. Jira then incorporates this content into system-generated invitation emails.
Frequent use and corporate trust in Jira notifications make them less likely to be flagged by security software or employees.