Attackers Hijack SaaS Notifications for Phishing Campaigns

Cyber Threat Intelligence is highlighting a concerning trend observed by Cisco Talos: threat actors are increasingly weaponizing the notification pipelines of popular Software-as-a-Service (SaaS) platforms, like GitHub and Jira, to distribute spam and phishing emails. These malicious messages leverage the legitimate mail delivery infrastructure of these platforms, making them significantly harder for security tools to flag and block. By exploiting the built-in notification features, attackers can bypass standard email security controls and land directly in users’ inboxes. This tactic, dubbed ‘Platform-as-a-Proxy’ (PaaP) by some, capitalizes on the inherent trust organizations place in communications from verified SaaS providers.

Cisco Talos noted that this abuse is primarily linked to phishing and credential harvesting operations. Once an attacker gains compromised credentials or initial access through these means, it often paves the way for more significant attacks. As an example, during a campaign on February 17, 2026, Cisco Talos estimated that nearly 3% of emails sent from GitHub were associated with this type of abuse. The technique essentially turns trusted SaaS communication channels into vectors for social engineering.

The core of this exploit lies in embedding malicious lures within legitimate, system-generated notifications. This circumvents traditional reputation-based email security filters. By abusing these automated notification systems, threat actors are effectively turning a feature designed for collaboration and productivity into a tool for cybercrime, highlighting a significant blind spot in how organizations might monitor or trust their incoming SaaS-related communications.