Companies throughout Australia and the APAC region have been alerted that cybercriminals are taking advantage of well-known platforms such as Atlassian to execute increasingly persuasive phishing attacks targeting law firms and other businesses. These malicious attacks are aimed at stealing employee credentials and breaching corporate cybersecurity defenses.
Ryan Economos, APAC field chief technology officer at email security firm Mimecast, informed TechRepublic that while phishing attacks utilizing Atlassian as a façade are relatively uncommon, they are becoming more advanced due to the proliferation of phishing kits and AI tools that facilitate the methods used by cybercriminals.
Phishing Tactics Involving Atlassian and Compliance Narratives
Mimecast’s Global Threat Intelligence Report for the first half of 2024 disclosed the rise of a novel phishing strategy that employs a compliance update narrative to target employees of law firms. The phishing schemes involved:
- Utilizing the reputable Atlassian workspaces, along with other unified workspace platforms like Archbee and Nuclino, to dispatch malicious emails that appeared familiar and trusted.
- Presenting device compliance updates as a pretext, where employees received emails instructing them to update their devices in order to comply with company policy.
- Redirecting those who clicked on the link to a counterfeit company portal, enabling attackers to collect credentials and other sensitive information.
- Embedding phishing links in emails sent from addresses associated with Japanese Internet Service Providers (ISPs).
Mimecast’s report highlighted that “The emails contained considerable personalization, including details about a ‘device’ and multiple references to the company’s domain, enhancing their legitimacy.”
The Expansion of Phishing Targeting
Economos noted that while the campaign originally focused on Australian law firms, it has since broadened its scope to other sectors beyond legal services. Several characteristics of the campaign indicate a growing sophistication among threat actors:
Use of Atlassian and Other Platforms:
Economos pointed out that the increasing utilization of Atlassian workspaces marks a new trend in the market. “Mimecast has continued to observe threat actors using services like OneDrive and Google Docs for hosting links or files in their campaigns, yet the utilization of platforms such as Atlassian has not been extensively exploited until recently.”
Intelligence Gathering via Tracker Data:
The campaign employed postmark URLs to redirect users to unified workspace platforms. These URLs allowed attackers to gather information on users’ locations, browser types, and which parts of the emails were clicked, enabling more personalized phishing attempts.
Advanced URL Obfuscation Techniques:
The phishing campaign used various obfuscation methods, complicating efforts to identify the real URL destination. These included multiple redirects, coded characters, and the addition of tracking parameters.
Exploitation of Japanese ISPs:
Economos highlighted the repeated exploitation of Japanese ISPs in similar phishing campaigns, indicating the lengths to which cybercriminals will go to successfully target organizations.
The Evolving Landscape of Phishing Threats
Phishing remains one of the most prevalent cyber threats organizations face today. Economos stated that while generative AI and machine learning technologies assist defenders in thwarting attacks, they are also expected to enhance the sophistication and precision of phishing campaigns. This evolution necessitates that defenders remain vigilant in detecting and promptly responding to new and innovative attack methods.
“The most significant change has been the speed and accuracy of phishing threats, enabled by phishing kits, automation, and AI technologies,” Economos remarked. “These tools empower even low-skill attackers to launch expansive campaigns and craft more convincing phishing emails that evade traditional security measures.”
He also noted the rise of pretexting—where cybercriminals impersonate a credible character to mislead victims—and Business Email Compromise as critical developments in the phishing threat landscape. As work environments continue to diversify, threat actors are broadening their attack vectors beyond email to include social media platforms and collaboration tools such as Microsoft Teams, Slack, and OneDrive, alongside vishing and smishing tactics using phone calls or text messages to deceive victims.
