Email-borne scams abuse trusted SaaS infrastructure and authentication to bypass defenses
Threat actors are increasingly abusing trusted SaaS platforms and email authentication to deliver high-conviction scam lures that evade traditional filtering. Trend Micro reported a targeted spam operation that weaponizes Atlassian Cloud features to send messages that pass common checks (e.g., SPF/DKIM) due to the strong reputation of SaaS sender domains; the campaign is multilingual and aims to redirect government and corporate recipients to fraudulent investment landing pages using Keitaro TDS, with attackers creating multiple Atlassian instances for resilience and scale.
Separately, Forcepoint X-Labs described phishing emails impersonating the US Social Security Administration that deliver a .cmd script to weaken Windows defenses (including disabling SmartScreen, removing Mark-of-the-Web, and using Alternate Data Streams) before silently installing ConnectWise ScreenConnect as a remote-access backdoor (including a hardcoded callback configuration). Related research highlighted DKIM replay attacks, where adversaries forward legitimate, DKIM-signed vendor emails (e.g., PayPal/DocuSign-style invoices and dispute notices) so the unchanged content continues to validate and can pass DMARC, increasing inbox placement and user trust for follow-on social engineering.
Timeline
May 5, 2026
Researchers report Amazon SES abuse for phishing and BEC campaigns
Researchers reported that in early 2026 attackers were abusing Amazon Simple Email Service to send authenticated phishing and business email compromise messages that passed SPF, DKIM, and DMARC checks. The campaigns used lures such as fake DocuSign notices and forged invoice threads, with access often enabled by exposed AWS IAM keys leaked in public repositories, images, or storage.
Apr 16, 2026
Cisco Talos reports n8n cloud abuse for phishing and malware delivery
Cisco Talos reported that attackers abused the n8n workflow automation platform from October 2025 through March 2026, using exposed webhooks on trusted n8n cloud subdomains to host phishing flows, tracking pixels, and malware delivery pages. Talos described campaigns delivering a fake OneDrive lure that installed a modified Datto RMM tool and a malicious MSI that deployed ITarian Endpoint Management as a backdoor.
Apr 7, 2026
Cisco Talos details GitHub and Jira notification abuse as 'Platform-as-a-Proxy'
Cisco Talos reported that attackers were abusing trusted SaaS notification pipelines, especially GitHub and Jira, by embedding phishing and scam lures in commit messages, invitations, and project fields so the platforms themselves sent authenticated emails that passed SPF, DKIM, and DMARC checks. Talos characterized the method as 'Platform-as-a-Proxy' and said telemetry on Feb. 17, 2026 showed likely abuse making up about 2.89% of observed GitHub email volume.
Feb 18, 2026
Trend Micro discloses Atlassian Cloud abuse in scam email campaign
Trend Micro disclosed a sophisticated campaign abusing Atlassian Cloud’s trusted email infrastructure to target government and corporate users with multilingual scam emails. The campaign used Atlassian and AWS-hosted delivery plus Keitaro TDS redirect chains to increase credibility, scale, and resilience while complicating detection.
Feb 17, 2026
Researchers describe DKIM replay attacks using vendor email workflows
Kaseya’s INKY researchers reported that attackers were abusing legitimate invoice and dispute-notification workflows from trusted services to embed scam content in vendor-generated emails. The attackers then forwarded the unchanged DKIM-signed messages to victims, allowing the emails to pass DKIM and DMARC checks and evade common email security filters.
Dec 25, 2025
Spam campaign abusing Atlassian Cloud becomes prominent
Trend Micro reported that a targeted spam campaign leveraging Atlassian Cloud infrastructure became prominent between late December 2025 and January 2026. The activity used Jira Automation and disposable Jira Cloud instances to send scam emails that could pass SPF/DKIM checks and redirect targets to fraudulent investment schemes.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
4 more from sources like talos intelligence blog, cyber security news, knowbe4 blog and blueteamsec
Related Stories
Multiple Social-Engineering Campaigns Abuse Trusted Platforms (Microsoft Teams, Vendor-Signed Email, Bing Ads/Azure)
Security researchers reported several **social-engineering campaigns** that abuse trusted platforms to increase credibility and bypass controls. One campaign targeted wedding planners and related vendors by hijacking trust in *Microsoft Teams*: attackers used compromised legitimate email threads and impersonated legal professionals (e.g., `czimmerman@craigzlaw[.]com`) to lure victims into clicking a fake Teams meeting link that ultimately redirected to `ussh[.]life/connect/teamsfinal/9/windows`, a site masquerading as a Teams download page. Victims were prompted to download Windows executables consistent with **information-stealer** behavior (credential/browser/session-token theft and C2 exfiltration), enabling follow-on account takeover and additional phishing. Separately, a report highlighted **DKIM replay**-style phishing in which criminals abuse legitimate notification/invoice workflows from **PayPal, Apple, and DocuSign** to generate cryptographically signed emails that pass DKIM/DMARC checks; attackers place scam content (often a fake support phone number and urgency) into user-controlled fields, send the message to themselves to obtain a “clean” vendor-signed email, then forward it to targets. Another campaign used **Bing search ads** to funnel users through a newly registered domain (`highswit[.]space`) to scam pages hosted on **Microsoft Azure Blob Storage** (consistent path pattern including `werrx01USAHTML/index.html` and a phone-number parameter), presenting fake Microsoft security warnings and directing victims to call numbers such as `1-866-520-2041` and `1-833-445-4045`; Netskope observed impact across dozens of US organizations.
1 months ago
Threat Actors Abuse Trusted Cloud and Ad Platforms for Multi-Stage Phishing and Scam Delivery
Threat actors are increasingly using **trusted platforms**—including cloud hosting and major ad networks—to deliver multi-stage phishing and scam campaigns that evade traditional URL and domain reputation controls. Recent activity includes a **three-step malvertising chain** delivered via **Facebook paid ads** that redirects victims through a decoy site (e.g., a fake Italian restaurant page) before landing on a **tech support scam (TSS) kit** hosted on **Microsoft Azure** infrastructure (including `web.core.windows.net`). Researchers reported rapid infrastructure churn, with **100+ domains rotated in seven days**, and targeting focused on **U.S. users** with activity concentrated on weekdays. Parallel enterprise-focused campaigns are hosting phishing infrastructure on **Microsoft Azure Blob Storage**, **Google Firebase**, and **AWS CloudFront**, using **redirect chains, CAPTCHA gates, and QR codes** to bypass automated analysis and email defenses. Analysis highlighted the use of **Adversary-in-the-Middle (AiTM)** phishing-as-a-service kits—**Tycoon2FA**, **Sneaky2FA**, and **EvilProxy**—to steal credentials and **session tokens** even when MFA is enabled. Separately, researchers documented a “clean email” approach to steal **Dropbox** credentials: benign-looking procurement-themed emails deliver **PDF attachments** that hide clickable elements (e.g., via *AcroForms* and `FlateDecode`), which then route victims to a second-stage file hosted on **Vercel Blob** and ultimately to a fake Dropbox login page that captures credentials and collects victim telemetry (IP address, location, and device details).
1 months ago
Attackers Abuse Amazon SES to Send Phishing That Passes Email Authentication
Kaspersky reported a rise in phishing campaigns that abuse Amazon Simple Email Service (**SES**) to deliver convincing messages through trusted cloud infrastructure. The activity is believed to be fueled by exposed AWS Identity and Access Management (**IAM**) access keys discovered in public GitHub repositories, `.env` files, Docker images, backups, and public S3 buckets. After validating stolen credentials—reportedly with automated secret-scanning and access-checking workflows—attackers use SES to send bulk phishing emails that can pass **SPF**, **DKIM**, and **DMARC**, reducing the effectiveness of reputation-based filtering. Observed campaigns included fake **DocuSign** notifications that redirected targets to AWS-hosted credential-harvesting pages, as well as more advanced business email compromise attempts using fabricated email threads and fake invoices. Researchers urged organizations to enforce least-privilege IAM permissions, enable MFA, rotate keys regularly, apply IP-based access restrictions, and strengthen encryption controls around secrets. Amazon said it provides guidance for exposed credentials, responds to abuse reports, and directs suspected misuse of AWS resources to **AWS Trust & Safety**.
Today