Zendesk Relay Spam Campaign

Zendesk issued an advisory addressing a wave of spam emails being sent through its customer support platform. This campaign exploited Zendesk’s ticketing system configuration, allowing unverified users to submit support requests, resulting in automatically generated “ticket confirmation” emails containing spam or phishing content. While these emails appeared legitimate, Zendesk confirmed that no system vulnerability or data breach occurred. Instead, the attackers abused open submission settings used by some organizations for ease of customer access.

Severity: High

Incident Details

1. Timeline and Discovery:
   • The spam wave began around January 18, 2026, with users worldwide reporting hundreds of bizarre and alarming Zendesk-generated emails.
   • Social media platforms like X (formerly Twitter) lit up with complaints of massive inbox floods, some users receiving hundreds of tickets per hour.
2. The Attack Vector: Attackers exploit a configuration that allows unverified or anonymous users to submit support tickets. By automating this process and entering a third party’s email address as the “requester,” the attacker triggers an automatic confirmation email from the company to the victim.
3. Nature of the Content: The emails often feature alarming or bizarre subject lines, such as fake “TAKE DOWN ORDERS,” legal notices from various countries (e.g., Israel, Peru, China), or offers for “FREE DISCORD NITRO”. Some messages also use Unicode fonts to bold or decorate text across multiple languages.
4. Malicious Intent: While many of these emails do not currently contain direct phishing links, they are highly confusing and appear designed to “troll” recipients or overwhelm their inboxes (email bombing).
5. Impacted Organizations: A wide range of major companies and government agencies have had their systems used in this wave, including:
   • Tech & Services: Discord, Tinder, Dropbox, NordVPN, and Kahoot.
   • Gaming: 2K (CD Projekt), Riot Games, and Konami.
   • Government: The Tennessee Department of Labor and Department of Revenue.
6. Zendesk’s Response: Zendesk has introduced new safety features, including enhanced monitoring and stricter limits to detect and halt unusual activity more quickly.

Recommendations

For Zendesk Administrators:

1. Require authentication or verified email addresses for new ticket creation.
2. Remove placeholders from auto-response templates that may include attacker-supplied content.
3. Apply throttling or CAPTCHA challenges on ticket submission forms.
4. Monitor for sudden spikes in outbound auto-response volumes.
5. Inform customers and staff on recognizing spam disguised as Zendesk confirmations.

For Recipients and Organizations:

1. Do not reply or click links in unexpected ticket confirmations.
2. Create rules to quarantine or flag Zendesk-based emails matching spam patterns.
3. Forward suspected spam tickets to abuse[@]zendesk.com or contact Zendesk support for review.

Source:

• https://support.zendesk.com/hc/en-us/articles/9833274501786-Important-notice-about-recent-spam-emails-via-Zendesk
• https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/
• https://x.com/nickoates_/status/2012761746503606379
• https://x.com/troyhunt/status/2012784392607821950
• https://support.zendesk.com/hc/en-us/articles/4408883658906-Permitting-only-added-users-to-submit-tickets
• https://support.zendesk.com/hc/en-us/articles/4408832828186-Tips-to-combat-spam-and-protect-your-business

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.