Cisco Talos has flagged a concerning trend that highlights a new evolution in phishing tactics: the abuse of notification pipelines in widely used SaaS platforms such as GitHub and Jira.
According to the report, attackers are exploiting a structural weakness: the implicit trust in corporate tool notification systems.
Instead of sending emails from suspicious domains, adversaries use the email sending systems of these platforms. This implies that:
- The emails appear legitimate (they come from trusted domains)
- They bypass traditional spam filters
- They evade reputation-based detection mechanisms
The result is an extremely effective attack vector that reaches victims' inboxes without raising suspicion.
How the Attack Works
The mechanism is ingenious and dangerous at the same time:
- The attacker creates or manipulates content within the platform (e.g., issues, comments, or tickets)
- Inserts malicious links or messages designed to deceive
- The platform automatically sends an email notification
- The recipient receives a legitimate-looking email… with malicious content
This approach turns productivity tools into involuntary channels of phishing distribution.
Why It's Particularly Concerning
This type of attack marks a significant change in the threat landscape: Abuse of legitimate infrastructure: It’s not about spoofing, but rather the real use of reliable services Higher success rate: Users trust tool notifications they use daily Difficulty in detection: Traditional systems are not designed to handle this type of vector In other words, the security perimeter is no longer at the sender's domain, but within the message content. Implications for Businesses and Development Teams The impact is especially critical in environments where these tools form part of the daily workflow:
Development teams
DevOps
Project management
Technical support
One click on a malicious link inside what appears to be a legitimate notification can compromise credentials, internal systems, or even complete pipelines.
What Can Be Done to Mitigate the Risk
While the attack is sophisticated, key measures exist: Carefully review the content of notifications, not just the sender Implement Zero Trust policies (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf) in email analysis Set up alerts for suspicious activity within SaaS platforms Limit who can generate external or automated notifications Train users about this new type of phishing
Conclusion
Cisco Talos’ findings confirm a clear trend: attackers are moving away from proprietary infrastructure and starting to parasitize legitimate services to amplify the reach of their campaigns. In an environment where tools like GitHub and Jira are essential, the line between legitimate communication and malicious attacks is becoming increasingly blurred. Trust, one of the pillars of the digital ecosystem, is turning into its greatest vulnerability.