The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines

Cisco Talos observed a rise in campaigns abusing legitimate SaaS notification systems (notably GitHub commit notifications and Atlassian/Jira invites) to deliver phishing and credential-harvesting content that bypasses SPF/DKIM/DMARC protections by leveraging the platforms' own trusted delivery. The report includes telemetry (e.g., 1.20% of [email protected] traffic with an “invoice” lure over five days and a Feb 17, 2026 peak of ~2.89%), concrete examples of how commit message and project fields are weaponized, and prescribes defenses such as instance-level identity verification, upstream API monitoring, semantic intent profiling, intentional user friction, and automated takedown orchestration.