Problem Statement:

Currently, any individual can create a free Jira Cloud site, give it a deceptive name (e.g., company-ticketing-automation), and send product invitations or assign tickets to corporate email addresses belonging to other organizations.

Because these alerts originate from Atlassian's trusted domains, they generate legitimate notifications (both via email and the global Atlassian Account in-app bell) to those corporate users. This creates a highly effective social engineering and phishing vector, potentially tricking enterprise users into interacting with external, untrusted tenants under the guise of internal collaboration.

Currently, Organization Admins have no native governance controls to restrict their managed users from receiving these external assignments or joining untrusted tenants.

Impact:

Enterprise organizations are exposed to phishing campaigns originating from within the Atlassian ecosystem. Administrators lack the necessary tools to enforce a trusted B2B collaboration boundary and protect their managed users from malicious cross-tenant invitations.

Suggestion:

Provide Organization Administrators the ability to govern cross-site invitations and notifications for their claimed domains. The proposed solution is:

• The ability to create a "Permit List" (allowlist) of trusted Atlassian site URLs. Managed users would only receive invitations, assignments, and global notifications from sites explicitly approved by their Organization Admins.

Workaround:

None within the Atlassian platform. Organizations must rely on external email security gateways to flag or quarantine unsolicited invitations.