https://feed.craftedsignal.io/tags/credential-harvesting/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 07 Apr 2026 10:00:35 +0000https://feed.craftedsignal.io/briefs/2026-04-saas-notification-abuse/Tue, 07 Apr 2026 10:00:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-saas-notification-abuse/Attackers are abusing notification pipelines in SaaS platforms like GitHub and Jira to deliver phishing and spam emails by exploiting legitimate platform features and bypassing traditional email security measures.Cisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.

Attack Chain

1. Repository Creation (GitHub): Attackers create new repositories on GitHub to host their malicious content.
2. Commit Message Crafting (GitHub): Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.
3. Commit Push (GitHub): Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.
4. Project Creation (Jira): Attackers create a new Jira Service Management project to configure automated customer invites.
5. Malicious Data Input (Jira): Attackers inject malicious lures into data fields, such as the “Project Name,” “Welcome Message,” or “Project Description” fields, within the Jira project configuration.
6. Customer Invite (Jira): The attacker utilizes the “Invite Customers” feature and inputs the victim’s email address.
7. Automated Notification Generation (GitHub/Jira): The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.
8. Credential Harvesting/Social Engineering: Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.

Impact

Abusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.

Recommendation

• Implement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: “GitHub Commit Message Phishing Lure” rule).
• Monitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: “Jira Service Desk Invite Abuse” rule).
• Review email logs for messages originating from noreply[@]github.com that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).
• Implement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.
• Educate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.

]]>highadvisorysaas-abusephishingcredential-harvestinggithubjirahttps://feed.craftedsignal.io/briefs/2026-04-democratized-bec/Fri, 03 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-democratized-bec/Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.Business Email Compromise (BEC) attacks have historically targeted large organizations with significant payouts justifying the required time investment. However, recent trends indicate a democratization of BEC, with smaller organizations becoming increasingly targeted. This shift is largely driven by the adoption of AI, enabling attackers to rapidly reconnoiter and tailor content for smaller organizations at scale. Attackers are now targeting smaller community associations, charities, and businesses, recognizing that scamming smaller sums from many victims can be as profitable as scamming large sums from a few. These organizations are often less aware of the threat and thus more vulnerable.

Attack Chain

1. Reconnaissance: Attackers use AI-powered tools to gather information about target organizations and key personnel (e.g., community associations, small businesses).
2. Impersonation: Attackers craft emails impersonating trusted individuals within the organization (e.g., the chair of the association).
3. Request Initiation: The attacker sends an email requesting a fund transfer to an account they control, relying on social engineering to trick someone with payment authority.
4. Evasion: The initial email is often sent from a plausible email address or a compromised genuine account.
5. Account Compromise: Exploit React2Shell vulnerability (CVE-2025-55182) in Next.js applications to gain access to sensitive data, including cloud tokens, database credentials, and SSH keys, which are used for lateral movement.
6. Data Exfiltration: Sensitive data, including cloud tokens, database credentials, and SSH keys, is exfiltrated using custom framework called “NEXUS Listener”.
7. Obfuscation: Once received, funds typically pass through money mules or compromised personal accounts before being rapidly shuffled through multiple transfers, obscuring the trail.
8. Financial Gain: The attacker successfully initiates the fund transfer and receives the money.

Impact

The democratization of BEC attacks expands the threat landscape to include vulnerable small organizations. While the individual sums may be smaller, the cumulative impact of successful attacks can be significant. If successful, organizations suffer financial losses, potential data breaches through stolen credentials (related to CVE-2025-55182), and reputational damage. The European Commission investigated a breach after an Amazon cloud account hack, highlighting the potential for data leaks.

Recommendation

• Educate employees, especially those with payment authority, about the signs of BEC scams, emphasizing unexpected requests for payment and the importance of verifying requests through separate channels (reference: Overview section).
• Implement and enforce strict procurement rules that prevent any last-minute urgent payments (reference: Overview section).
• Patch Next.js applications against React2Shell vulnerability (CVE-2025-55182) immediately and rotate potentially compromised credentials including API keys and SSH keys (reference: “The one big thing” section).
• Deploy the following Sigma rule to detect suspicious process creation activity (reference: rules section).
• Monitor for the presence of the malware files identified in the report using the provided SHA256 hashes (reference: IOCs section).

]]>mediumadvisorybusiness-email-compromisebecaisocial-engineeringcredential-harvestingexploitation