Critical : Trello Phishing Campaign – Credential Harvesting via Board Invitation Abuse

Attackers are currently exploiting trusted SaaS platforms to bypass traditional security controls.

A phishing campaign has been identified that abuses legitimate Trello board invitation functionality to deliver credential‑harvesting links to targeted users.  

Because these emails are sent from genuine Trello infrastructure, they are more likely to bypass standard email security controls and appear trusted to recipients.

This campaign has been observed on a large scale across multiple organizations. Attackers create shared Trello boards and invite victims, embedding malicious links within the board content. When clicked, these links redirect users to credential‑harvesting pages, using techniques consistent with Canva‑style embedded phishing.

Attack Methodology

• Threat actors create a Trello board using legitimate Atlassian services
• Targeted users receive a valid Trello invitation email
• The board contains embedded malicious links
• Clicking the link redirects to a credential‑harvesting page
• Stolen credentials may be reused for account compromise and lateral movement

Indicators of Compromise (IOCs)

The following indicators have been confirmed to be associated with this campaign:

• Email Subject Line:
  [internal_user] de [company_name] invited you

• Display Name:
  [internal_user] de [company_name]

• Sender Address:
  invitation-do-not-reply@trello.com

• Board Name:
  Financial & Operational Impact Discussion

Secondary Indicator

Some users may receive a follow‑up Atlassian verification email from:

noreply+[random_string]@id.atlassian.com

This email does not appear malicious and is likely an artefact of the attacker’s board creation process.
➡ Do not action the verification code.

Immediate Actions For All Users

• Do not click any links within the Trello invitation email
• Do not accept the Trello board invitation
• Delete the invitation email immediately
• If received, delete the Atlassian verification email without action
• Report the email to your IT Security team or ctrl:cyber

If You Have Already Clicked the Link

• Change passwords immediately, prioritising: Corporate accounts, Email accounts, Any reused credentials

• Enable multi‑factor authentication (MFA) on all accounts if not already enabled

• Notify ctrl:cyber immediately to allow review of account activity

• Avoid using the affected device for sensitive activity until it has been assessed

Recommendations

• Block known malicious URLs associated with the campaign
• Educate users on risks associated with trusted‑platform phishing
• Monitor for suspicious Trello board invitations across the organisation
• Enforce MFA across all corporate systems
• Review email security controls for third‑party SaaS abuse scenarios
• Conduct awareness reminders highlighting that legitimate platforms can still deliver malicious content