More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

SUMMARY :

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a DocuSign-branded image. Clicking the hyperlink redirects users to an Atlassian domain, then to a Microsoft-branded sign-in form. This technique bypasses secure email gateways and other security measures. Once credentials are entered, they are exfiltrated to the threat actor's domain. Such attacks can lead to various malicious activities, including spear phishing, business email compromises, and malware deployment. The use of trusted domains makes these attacks particularly effective and difficult to detect.

OPENCTI LABELS :

phishing,social engineering,credential theft,confluence,microsoft,domain abuse,docusign,atlassian


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence