Overview

A phishing campaign has been identified abusing legitimate Trello board invitation functionality to deliver credential-harvesting links to targeted users. Because these invitations originate from genuine Trello infrastructure, they are more likely to bypass standard email security controls and appear trustworthy to recipients.

The campaign has been observed at scale across multiple organisations. Attackers create shared Trello boards and send invitations to targets, embedding malicious links within the board. These links redirect users to credential-harvesting pages, using a technique consistent with Canva-style embedded phishing.

Indicators of compromise (IOCs)

The following indicators have been confirmed associated with this campaign:

  • Subject Line: [internal_user] de [company_name] invited you
  • Display Name: [internal_user] de [company_name]
  • Sender Address: invitation-do-not-reply@trello.com
  • Board Name: Financial & Operational Impact Discussion

Secondary Indicator

  • Users may receive a follow-up Atlassian verification email from:
    noreply+[random_string]@id.atlassian.com
  • This email does not appear malicious and is likely an artefact of the attacker’s board creation process.
  • The verification code should not be actioned.

Recommended Remediations

Immediate Actions — All Users

  • Do not click any links within the invitation email or accept the Trello board.
  • Delete the invitation email immediately.
  • If received, delete the Atlassian verification code email without actioning it.
  • Report the email to your IT security team or ctrl:cyber.

If You Have Already Clicked the Link

  • Change passwords immediately, prioritising corporate accounts, email, and any reused credentials.
  • Enable multi-factor authentication (MFA) across all accounts if not already active.
  • Notify ctrl:cyber immediately to allow review of account activity.
  • Avoid using the affected device for sensitive activity until assessed.

Organisational / IT Team Recommendations

  • Block or quarantine emails from invitation-do-not-reply@trello.com where Trello is not an authorised tool.
  • Implement detection rules for subject patterns matching “* de * invited you”.
  • Alert users not to accept unexpected Trello board invitations.
  • Review email gateway logs for IOC matches and assess potential exposure.
  • Consider conditional access policies to restrict logins from unfamiliar locations or devices following potential credential compromise.