{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-harvesting/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["saas-abuse","phishing","credential-harvesting","github","jira"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eRepository Creation (GitHub):\u003c/strong\u003e Attackers create new repositories on GitHub to host their malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Message Crafting (GitHub):\u003c/strong\u003e Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Push (GitHub):\u003c/strong\u003e Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProject Creation (Jira):\u003c/strong\u003e Attackers create a new Jira Service Management project to configure automated customer invites.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Data Input (Jira):\u003c/strong\u003e Attackers inject malicious lures into data fields, such as the \u0026ldquo;Project Name,\u0026rdquo; \u0026ldquo;Welcome Message,\u0026rdquo; or \u0026ldquo;Project Description\u0026rdquo; fields, within the Jira project configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustomer Invite (Jira):\u003c/strong\u003e The attacker utilizes the \u0026ldquo;Invite Customers\u0026rdquo; feature and inputs the victim\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated Notification Generation (GitHub/Jira):\u003c/strong\u003e The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting/Social Engineering:\u003c/strong\u003e Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAbusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: \u0026ldquo;GitHub Commit Message Phishing Lure\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: \u0026ldquo;Jira Service Desk Invite Abuse\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eReview email logs for messages originating from \u003ccode\u003enoreply[@]github.com\u003c/code\u003e that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).\u003c/li\u003e\n\u003cli\u003eImplement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.\u003c/li\u003e\n\u003cli\u003eEducate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:35Z","date_published":"2026-04-07T10:00:35Z","id":"/briefs/2026-04-saas-notification-abuse/","summary":"Attackers are abusing notification pipelines in SaaS platforms like GitHub and Jira to deliver phishing and spam emails by exploiting legitimate platform features and bypassing traditional email security measures.","title":"SaaS Notification Pipeline Abuse for Phishing and Spam Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-04-saas-notification-abuse/"},{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2025-55182"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["business-email-compromise","bec","ai","social-engineering","credential-harvesting","exploitation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBusiness Email Compromise (BEC) attacks have historically targeted large organizations with significant payouts justifying the required time investment. However, recent trends indicate a democratization of BEC, with smaller organizations becoming increasingly targeted. This shift is largely driven by the adoption of AI, enabling attackers to rapidly reconnoiter and tailor content for smaller organizations at scale. Attackers are now targeting smaller community associations, charities, and businesses, recognizing that scamming smaller sums from many victims can be as profitable as scamming large sums from a few. These organizations are often less aware of the threat and thus more vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Attackers use AI-powered tools to gather information about target organizations and key personnel (e.g., community associations, small businesses).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpersonation:\u003c/strong\u003e Attackers craft emails impersonating trusted individuals within the organization (e.g., the chair of the association).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Initiation:\u003c/strong\u003e The attacker sends an email requesting a fund transfer to an account they control, relying on social engineering to trick someone with payment authority.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvasion:\u003c/strong\u003e The initial email is often sent from a plausible email address or a compromised genuine account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise\u003c/strong\u003e: Exploit React2Shell vulnerability (CVE-2025-55182) in Next.js applications to gain access to sensitive data, including cloud tokens, database credentials, and SSH keys, which are used for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: Sensitive data, including cloud tokens, database credentials, and SSH keys, is exfiltrated using custom framework called \u0026ldquo;NEXUS Listener\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation:\u003c/strong\u003e Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFinancial Gain:\u003c/strong\u003e The attacker successfully initiates the fund transfer and receives the money.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe democratization of BEC attacks expands the threat landscape to include vulnerable small organizations. While the individual sums may be smaller, the cumulative impact of successful attacks can be significant. If successful, organizations suffer financial losses, potential data breaches through stolen credentials (related to CVE-2025-55182), and reputational damage. The European Commission investigated a breach after an Amazon cloud account hack, highlighting the potential for data leaks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate employees, especially those with payment authority, about the signs of BEC scams, emphasizing unexpected requests for payment and the importance of verifying requests through separate channels (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eImplement and enforce strict procurement rules that prevent any last-minute urgent payments (reference: Overview section).\u003c/li\u003e\n\u003cli\u003ePatch Next.js applications against React2Shell vulnerability (CVE-2025-55182) immediately and rotate potentially compromised credentials including API keys and SSH keys (reference: \u0026ldquo;The one big thing\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious process creation activity (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of the malware files identified in the report using the provided SHA256 hashes (reference: IOCs section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T12:00:00Z","date_published":"2026-04-03T12:00:00Z","id":"/briefs/2026-04-democratized-bec/","summary":"Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.","title":"Democratization of Business Email Compromise (BEC) Attacks","url":"https://feed.craftedsignal.io/briefs/2026-04-democratized-bec/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Harvesting","version":"https://jsonfeed.org/version/1.1"}