Zendesk Ticket Systems Hijacked in Global Spam Wave

A massive spam campaign has been observed worldwide, exploiting unsecured Zendesk support systems to flood inboxes with hundreds of bizarre and alarming emails.

How the Attack Works

• Abuse of open ticketing: Zendesk allows unverified users to submit support tickets.
• Automatic replies: Each fake ticket generates a confirmation email to the entered address.
• Mass spam: Attackers iterate through large email lists, turning Zendesk into a spam relay.
• Bypassing filters: Emails originate from legitimate companies’ Zendesk instances, making them harder to block.

Impacted Organizations

Reportedly affected companies include:

• Tech & gaming: Discord, Riot Games, Dropbox, CD Projekt, Kahoot, Lime.
• Consumer services: Tinder, NordVPN, Headspace, Maya Mobile, Lightspeed, CTL.
• Government: Tennessee Department of Labor & Revenue.

Nature of Spam

• Subjects: Strange, chaotic, sometimes alarming.
• Examples:
  • “FREE DISCORD NITRO!!”
  • “LEGAL NOTICE FROM ISRAEL FOR Koei Tecmo”
  • “DONATION FOR State Of Tennessee CONFIRMED”
  • Unicode-heavy gibberish strings.
• Behavior: No phishing links or malware detected; appears more like trolling/disruption than direct exploitation.

Responses

• Companies (Dropbox, 2K): Confirmed incidents, reassured users no accounts were compromised.
• Zendesk:
  • Rolled out new safety features (enhanced monitoring, activity limits).
  • Advises customers to:
    • Restrict ticket creation to verified users.
    • Remove placeholders that allow arbitrary email addresses or subjects.
  • Previously warned about “relay spam” in a December advisory.

Defensive Recommendations

• For organizations using Zendesk:
  • Require email verification for ticket creation.
  • Audit ticket workflows for open submission loopholes.
  • Monitor for unusual spikes in ticket volume.
• For recipients:
  • Ignore spam confirmations.
  • Verify with official support channels if concerned.
  • Report suspicious patterns to IT/security teams.

Takeaway

This incident highlights how legitimate customer service platforms can be weaponized when misconfigured. Even without malicious payloads, the volume and legitimacy of the emails make them disruptive and alarming, underscoring the need for tight access controls in support systems.