Trusted Platform Abuse Escalates: Scam Email Delivered via Xero Infrastructure Passes SPF, DKIM and DMARC

Days after researchers exposed abuse of Atlassian Jira Cloud to distribute investment scams from authenticated @atlassian.net addresses, a parallel campaign has emerged leveraging Xero’s email infrastructure.

The observed message arrived from:

Tesla Recruitment
messaging-service@post.xero.com

Authentication results:

• SPF: PASS (198.244.57.62)
• DKIM: PASS (d=post.xero.com)
• DMARC: PASS

Delivery was immediate. Authentication was fully aligned. The sending domain was legitimate.

Nothing was spoofed.
Nothing was impersonated at the domain level.

This is Trusted Platform Abuse (TPA) — and it is rapidly becoming one of the most effective spam delivery mechanisms in the email ecosystem.

From Atlassian to Xero: A Repeatable Model

The earlier Atlassian Jira abuse followed a clear structure:

• Attackers created legitimate Jira Cloud instances.
• Built-in automation triggered outbound notifications.
• Emails originated from authentic Atlassian infrastructure.
• SPF, DKIM and DMARC passed.
• Messages redirected to investment scams and online casino pages.

Authentication validated origin. It did not validate intent.

The Xero case follows the same structural logic.

The message impersonated “Tesla Recruitment” and linked to teslatalent.com, presented as a scheduling or recruitment interaction. The email format mirrored standard transactional messaging. There were no authentication anomalies.

This strongly indicates abuse of legitimate Xero functionality — likely invoicing, messaging, or automated notification workflows.

No infrastructure compromise is required.

The attacker needs only:

• A valid account
• Access to outbound messaging functionality
• A credible lure

Once those conditions are met, the attacker inherits Xero’s sender reputation and delivery trust.

Why This Works

Modern email filtering models heavily weight:

• Domain reputation
• IP reputation
• Authentication alignment
• Historical sending behaviour
• Infrastructure trust

In this case:

• post.xero.com is a legitimate sending domain.
• SPF, DKIM and DMARC are aligned.
• The infrastructure has established trust.
• The message structure resembles expected SaaS notifications.

To a reputation-based filtering engine, the message appears low risk.

The mailbox provider trusts Xero.
It does not know the attacker abusing a Xero tenant.

This distinction is critical.

Authentication Confirms Identity, Not Legitimacy

There remains persistent confusion in the market around what authentication solves.

SPF, DKIM and DMARC confirm:

• The message was authorised by the sending domain.
• The domain owner permitted that transmission.

They do not confirm:

• The sender’s business legitimacy.
• The intent of the transaction.
• Whether the account was created for abuse.

In Trusted Platform Abuse scenarios, authentication actually strengthens the attacker’s position. The higher the platform’s reputation, the more effective the bypass.

Reputation Piggybacking as a Strategic Shift

Phishing infrastructure is evolving.

Instead of relying on disposable domains and low-reputation IP space, threat actors increasingly piggyback on:

• Project management tools
• Accounting platforms
• CRM automation systems
• Cloud document sharing notifications
• Scheduling services
• Invoice delivery systems

The playbook is consistent:

1. Register an account.
2. Trigger automated outbound notifications.
3. Embed redirect or malicious landing domain.
4. Leverage inherited platform reputation to achieve inbox placement.

This is infrastructure-as-a-service — unintentionally provided by legitimate SaaS platforms.

The economic advantage for attackers is significant:

• No need to build sending infrastructure.
• No need to warm domains.
• No need to manage IP reputation.
• Authentication alignment is automatic.

The defensive model, however, is still anchored in domain-level trust assumptions.

Why Legacy Controls Fail

Traditional anti-spoofing controls are irrelevant in this context because nothing is spoofed.

Domain reputation is insufficient because:

• The trusted domain belongs to the SaaS provider.
• The malicious actor is operating at the tenant level.

IP reputation is ineffective because:

• The sending IP is part of a legitimate, high-volume transactional infrastructure.

Content filtering struggles because:

• Messaging often mimics legitimate transactional workflows.
• Lures are professionally written and brand-aligned.

This attack class exploits trust architecture, not technical vulnerabilities.

What Detection Requires

Mitigating Trusted Platform Abuse requires a shift from domain-centric trust models to behavioural and contextual analysis.

Effective controls include:

• Tenant-level abuse detection by SaaS providers
• New-account behavioural anomaly detection
• Recipient graph analysis
• Link-chain and redirect intelligence
• Final landing page reputation scoring
• Post-delivery correlation and response loops

Mailbox providers and SaaS platforms must also accelerate abuse reporting and enforcement coordination. The abuse window is often short but highly effective.

Strategic Implications

Trusted Platform Abuse is not an authentication failure. It is a structural trust modelling weakness.

As SaaS ecosystems expand and automate outbound communications at scale, they become high-value relay systems for malicious actors.

The more reputable the platform:

• The higher the inbox placement probability.
• The lower the friction for attackers.
• The greater the bypass effectiveness.

The email in this case passed every technical authenticity test.

It still should not have been trusted.

The industry will need to adjust its defensive posture accordingly and quickly!