A feature of Zendesk that makes it easier to send support tickets was abused by unknown hackers as a means of sending a bizarre wave of spam that was able to slip through filters, raising concerns but apparently not presenting any serious threat. The incident has raised alarms about similar use of customer support systems, however, as a means for an attacker to insert malicious elements using a similar method.
Abuse of support systems can provide hackers with a means to slip through spam filters
The big threat posed by this attack method is that the bogus message is seen as originating from the impersonated company’s servers, giving it a leg up on penetrating automated spam and security filters.
The attack is possible due to a Zendesk convenience feature that allows unverified users to generate support tickets, entering any email address they like as the reply address. A confirmation email for the bogus support ticket will then be kicked out to that address.
The big limitation is that the support systems only regurgitate what the attacker types in as the ticket title. In the case of this spam campaign, the hacker entered a variety of bizarre titles that were possibly automatically generated from a combination of location names, video game companies and legal terms. The attackers may have been just trolling, or they may have been testing the support systems in advance of a more sophisticated attack; it is unclear if malicious URLs might have been worked into the titles that were then passed on to the target.
The campaign began on January 18 of this year, and leveraged the support systems of big-name businesses but seemingly targeted a broad selection of people with no clear pattern. Some of the bigger security analysts in the industry reported receiving hundreds of these Zendesk confirmation spam messages in a period of several hours. Familiar companies that the messages have been seen originating from include Discord, Dropbox, NordVPN, Riot Games, and CD Projekt among numerous others. Spam messages were also observed coming from several government entities, such as the Tennessee Departments of Labor and Revenue. Dropbox and several other companies have acknowledged the incident and advised their customers to ignore the messages.
Zendesk has responded to the incident by beefing up the security of its support systems, adding new features to detect and stop this variant of spam going forward. It also advises its client organizations that this technique can be neutralized by either restricting ticket creation to verified users only, and/or removing placeholders that allow any ticket subject or email address to be submitted.
Can trusted support ticket spam be used to breach systems?
This is not the first time that customer support systems have been abused in this way, and Zendesk itself recently reported another rash of this type of action that took place in early December of last year. Calling it a form of “relay spam,” Zendesk frames this as a “potential side effect” of allowing unverified tickets rather than a vulnerability.
It remains unclear exactly what attackers use this approach for. While it is theoretically possible to insert a malicious link or file into a request ticket in other products, responsible support systems from major companies will almost certainly preclude this possibility. One theory is that hackers use this to quickly test out whether or not a long list of email addresses that they have are active on a platform. Another is simply that it is a sort of denial of service attack, rapidly generating a huge amount of ticket requests using seemingly valid email addresses to tie up the target company. Attackers might have also been testing out the method to see how well it penetrates spam filters before deploying something more malicious, though tipping Zendesk off to it ahead of a real attack seems to have been an unwise move.
Though there is not yet any concrete indication of them being involved in this particular case, the relatively new “supergroup” Scattered Lapsus$ Hunters has been documented exploiting Zendesk support systems in this way in the recent past. Their MO seems to be targeting helpdesk personnel to breach systems rather than the end users that wind up with suspicious tickets in their inboxes. The group has taken this technique a step further by registering dozens of typosquatted domains related to Zendesk, apparently hoping to manipulate helpdesk staff into visiting one of these malicious addresses. The group has also been observed “email bombing” security staff in this way in an attempt to drown out legitimate notifications.
Denis Calderone, CRO & COO at Suzu Labs, notes that this potential vulnerability may be propagating simply because organizations do not take it seriously enough: “Zendesk warned customers about this in December and advised restricting ticket creation to verified users. How many organizations actually changed their settings? Probably not many, which is why we’ve been seeing individuals flooded with hundreds of spam emails this January. The fix isn’t a patch, it’s a configuration change, and here’s the lesson: organizations need to threat model their enterprise applications for configuration gotchas during deployment. If teams had asked ‘could our support system be turned into a spam relay?’ they would have disabled unverified ticket submission from day one. Audit your support system settings now. Do you actually need to accept tickets from unverified email addresses? For most companies, no. Require verification, enable CAPTCHA, or restrict ticket submission to authenticated users. Proactive threat modeling beats reactive configuration cleanup.”
Damon Small, Board of Directors, Xcape, adds: “The recent global surge of “relay spam” originating from Zendesk highlights a significant flaw in the trust mechanisms of modern SaaS platforms – the misuse of legitimate notification systems. Attackers have exploited a feature that permits unverified users to submit support tickets, essentially weaponizing the delivery infrastructure of major companies like Discord, Dropbox, and NordVPN. Since these emails are sent from trusted domains, they bypass standard SPF and DKIM filters that are intended to prevent spoofing but not the exploitation of legitimate mail for malicious ends. Relay attacks have existed for as long as email has; however, this incident underscores how seemingly harmless platform features can become avenues for abuse when security measures fail to keep pace with growth. While Zendesk’s response is a positive step, it also places the onus on customers to strengthen their configurations and verify access. As SaaS platforms increasingly serve as communication hubs, abuse prevention needs to be recognized as a fundamental security requirement, not merely an optional setting. When a trusted support system is turned into a spam cannon, it proves that in cybersecurity, chaos becomes the attack.”
