Stop Phishing Yourself: How Auto-Forwarding and Exchange Contacts Can Stab You in the Back

This report details a phishing campaign where spoofed marketing emails, initially quarantined by O365 as phishing, were inadvertently forwarded to a Jira project via an Exchange Contact on an internal distribution list, resulting in Jira tickets containing malicious attachments (a credential-harvesting HTML). The SOC detected and removed the tickets the same day and implemented detections and a safer email-to-ticket configuration, with no evidence of user interaction or successful compromise.