Full Report
Cisco Talos has recently observed an increase in activity that is leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails.
Analysis Summary
# Tool/Technique: SaaS Notification Hijacking (Platform-as-a-Proxy)
## Overview
This technique, dubbed **Platform-as-a-Proxy (PaaP)**, involves threat actors weaponizing the legitimate notification infrastructure of popular SaaS collaboration platforms (e.g., GitHub, Jira). By embedding malicious lures within system-generated messages, attackers bypass email security filters that rely on reputation and authentication protocols like SPF, DKIM, and DMARC.
## Technical Details
- **Type:** Technique (Platform Abuse / Social Engineering)
- **Platform:** SaaS Collaboration Tools (GitHub, Atlassian/Jira)
- **Capabilities:** Bypassing email security gateways, leveraging trusted infrastructure, automated phishing delivery.
- **First Seen:** Observed increase leading up to February 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**
- **[T1566.003 - Phishing: Service External-facing Service]**
- **[TA0007 - Support for Adversary Purposes]**
- **[T1583.003 - Acquire Infrastructure: Web Services]**
- **[TA0005 - Defense Evasion]**
- **[T1036 - Masquerading]**
- **[T1205.001 - Traffic Signaling: Port Knocking]** (Contextual application as proxying via trusted IP range)
## Functionality
### Core Capabilities
- **Authentication Bypass:** Messages are sent from verified platform IP addresses (e.g., GitHub SMTP servers) and pass SPF, DKIM, and DMARC checks, granting them a "seal of approval" from security gateways.
- **Weaponized Input Fields:** Attackers use mandatory content fields (like Git commit summaries) and optional fields (descriptions) to inject social engineering hooks and fraudulent billing/support details.
- **Workflow Abuse:** Exploiting team invitation features to inject malicious data into standard project collaboration templates.
### Advanced Features
- **PaaP (Platform-as-a-Proxy):** De-coupling malicious intent from the attacker's own technical infrastructure by using the platform as a delivery proxy.
- **Notification Fatigue Exploitation:** Relying on the high volume of legitimate automated alerts users receive daily to slip through malicious content unnoticed.
## Indicators of Compromise
- **File Names:** N/A (Web-based lure/Phishing)
- **Network Indicators:**
- `out-28[.]smtp[.]github[.]com`
- `192[.]30[.]252[.]211` (Verified GitHub SMTP)
- `noreply[@]github[.]com`
- **Behavioral Indicators:**
- Sudden volume spikes in notifications containing keywords like "invoice" or "payment" (observed spike to 2.89% of GitHub traffic on 2026-02-17).
- Receipt of invitations to Jira Service Management projects from unknown or external sources.
## Associated Threat Actors
- Various unidentified groups specializing in **Credential Harvesting** and **Social Engineering**.
## Detection Methods
- **Behavioral Detection:** Monitoring for atypical volumes of platform-generated emails containing financial or urgent keywords (e.g., "Invoice," "Subscription").
- **Analysis of Embedded Links:** Inspecting the final destination of links within SaaS templates rather than just the sender's reputation.
- **Contextual Analysis:** Cross-referencing platform invitations against known internal business logic and active projects.
## Mitigation Strategies
- **Out-of-Bound Verification:** Mandating that users verify new project invitations or requests via the platform’s official internal portal rather than clicking email links.
- **Friction-Based Policies:** Implementing security policies that require manual approval or second-factor verification for interacting with external SaaS collaboration requests.
- **Automated Takedown Orchestration:** Integrating security workflows to report malicious repositories/projects directly to SaaS providers' Trust and Safety teams via API.
- **User Awareness:** Training employees to recognize that "authenticated" emails (SPF/DKIM pass) can still contain malicious content if they originate from abused shared platforms.
## Related Tools/Techniques
- **Phishing/Credential Harvesting**
- **Social Engineering**
- **Living off Trusted Sites (LoTS)**