Just to make sure your findings are the same as mine:

This very-questionable "atlas-trk.prd.msg.ss-inf.net" URL is LEGIT, right?  These are actual emails from Atlassian?

Later emails I have gotten from Atlassian also have this URL source.  I still have not actually clicked on one of these links, but when verifying their information through normal login, all of the facts checked out.  In other words, these links SEEM to be legit as far as I can tell.

I am nagging about this on this thread to hopefully generate enough noise that Atlassian changes this URL to something far less easy to spoof.

I still CRINGE thinking about HOW EASY it would be to fake this thing.  The original domain is "ss-inf.net", right?  Seeing that typed out really make it scream "HACKER".

Atlassian claimed this is legit.

I don't know what to say...

Thanks.  It is good to have another source of confirmation for this.

Hi @Martin Kaul 

We have recently updated the documentation in IP addresses and domains for Atlassian cloud products to include this domain.  This is in fact a domain that Atlassian uses.

@Andy Heinzer looks like Atlassian is OK with proceeding with this domain.
I see it as similar move to what a company in Poland recently did.
Security people try their best to learn people to avoid weirdly looking domains by all means and here you come acting like it is perfectly fine to use a weirdly looking domain in production.

Has Atlassian thought about something like social responsibility?

I completely understand @Martin Kaul and if I would be the one to manage deny list of domains, this one would land there regardless of being legitimate.

Did the company consult that idea with internal security team?

Hi @Andy Heinzer 

I agry to @Jan Tymiński 

It is not the point that this address is a valid address from Atlassian. We sensitize our people not to click on cryptic links. When the domain is atlassian.com then its readable and understandable. But "atlas-trk.prd.msg.ss-inf.net"??? A potential hacker only needs to change one character of ss-inf.net for example to ss-int.net - and then the people click the link.

An other point is, that Atlassian is not the only company with Messages send to us. What should we do? Read URL documentation of all of our connected companies to get the list of all valid domains of the companies?

No, No, when Atlassian want to send us Messages with valid links, then do not use links with cryptic mysterious domains - use your valid and (important) readable company domain.

best regards

  Martin

@Małgorzata Łopacińska 

Please forward any such emails to abuse@atlassian.com

If someone has used our Cloud services to send spam/phishing this is the best way to let our anti-abuse team know about it and be able to take steps to suspend that site.

Great.

So Atlassian is cool to go against the grain.

All the security trainings train people not to click strange-looking URLs and Atlassian introduces one as a legitimate URL (when a truly legitimate URL could be used instead) and will start teaching all these people to stop worrying about such URLs.

Atlassian, you can do much better and I expect you revise this approach and improve here.

This way you're contributing to lowering global security in the times where it gets extremely important to do everything to improve it.
Please take a couple of minutes, meet there internally and discuss this approach and an option to generate genuinely looking urls.

If there's `customer.atlassian.net` available for the `customer`, everyone at `customer` should get URLs starting with `customer.atlassian.net` within the spaces of the `customer.

I hope my point here is clear why it is important to not use urls like `blah-blahblah.blah-some.random-gibberish.unrelated-to-atlassian.net`

@Steve Smith & @Jan Tymiński , same here!

Years of cyber security awareness training got our employees to finally be more careful with e-mails and an ever rising threat due to conflicts in Ukraine and the Middle-East.

Now they're reporting (supposedly) Atlassian-E-Mails containing URLs using, https://atlas-trk.prd.msg.ss-inf.net/f/a, which, in every sense of cyber security training success, is correct. 

If I'm reading @Andy Heinzer's answer above correctly, this is a legit domain for Atlassian Cloud Services (such as Confluence). However, it would be great to have that confirmed for this type of e-mail before releasing it to our employees.

Sender-domain is id.atlassian.net.

Thanks heaps in advance! 

Hi @Raimo Neumann I reached out to my internal team about this.  They have confirmed that this domain is owned and operated by Atlassian.  This new address does not yet appear within the documented list of IP Address Ranges and Domains for Atlassian Cloud products, however I have also reached out to my documentation team to update that content.

Thanks heaps for confirming @Andy Heinzer! 🙌🏼

Thanks for the quick reply. I was able to whitelist the domain in order to prevent further issues in our environment. I was mostly curious what it was doing and if this was the new norm when opening Jira ticket links within our emails. Thx