Attackers are exploiting unverified ticket submission features in Zendesk support platforms to bombard users worldwide with hundreds of spam emails, bypassing filters by impersonating legitimate companies like Discord, Tinder, and government agencies.
People worldwide are reporting inbox flooding from an unusual source: legitimate customer support systems. A massive spam wave exploiting unsecured Zendesk instances has delivered hundreds of confusing emails per recipient since January 18th, with subject lines ranging from fake law enforcement alerts to promises of free Discord Nitro.
How the Attack Works
Attackers abuse Zendesk's default setting allowing unverified users to submit support tickets. When creating fake tickets, they enter target email addresses, triggering automatic confirmation messages from legitimate company domains. This transforms customer service platforms into spam cannons. As cybersecurity expert Daniel Goldberg explains: "These aren't typical phishing emails – they weaponize legitimate business workflows against recipients."
Affected organizations include:
- Discord, Tinder, Dropbox
- Riot Games, CD Projekt (2k.com)
- NordVPN, Kahoot, Headspace
- Tennessee Department of Revenue and Labor
- Maya Mobile, Lightspeed, CTL, Lime
Why It Bypasses Defenses
These emails evade spam filters because they originate from authentic corporate domains (e.g., @discord.zendesk.com). Subjects contain alarming phrases like "LEGAL NOTICE FROM ISRAEL" or Unicode-decorated text (e.g., "鶊坝鱎煅貃姄捪娂隌籝鎅熆媶鶯暘咭珩愷譌argentine恖"), creating confusion without malicious payloads.
Official Responses
Several companies confirmed attacks:
2K Games' statement:
"Our system allows anyone to submit support tickets without account verification. Rest assured we don't process sensitive requests without direct account holder instruction."
Zendesk's mitigation:
"We've deployed new safety features including enhanced monitoring and activity limits to detect and stop relay spam faster. We're continuously improving protections."
The company had previously warned about "relay spam" in a December advisory, recommending organizations implement verification requirements.
Protection Recommendations
For Companies:
- Enable "verified users only" ticket submission in Zendesk settings
- Remove placeholder fields accepting arbitrary email addresses
- Implement rate limiting for ticket creation
- Monitor for unusual ticket volume spikes
For Users:
- Mark messages as spam (trains filters)
- Never engage with content
- Check sender addresses carefully
- Report incidents to the legitimate company
While this spam wave appears designed for disruption rather than data theft, it demonstrates how business tools can become attack vectors when security defaults aren't hardened. As Zendesk implements new safeguards, organizations must proactively configure their instances to prevent abuse.
Comments
Please log in or register to join the discussion