A massive spam wave is currently exploiting unsecured Zendesk support systems to flood global inboxes with hundreds of automated ticket confirmations. Although these emails often feature alarming or bizarre subject lines, they appear to be a high-volume trolling campaign rather than a direct phishing threat.

Starting on January 18th, a surge of spam emails began hitting users worldwide, originating from legitimate support platforms of major companies like Discord, Tinder, and Dropbox. These messages are generated because attackers are exploiting Zendesk’s default setting that allows unverified users to submit support tickets. By automating the creation of thousands of fake tickets using stolen email lists, the attackers trigger the platforms to send official automated replies to the unsuspecting victims.

The subject lines of these emails vary wildly, ranging from fake legal notices and law enforcement notifications to offers for free services or desperate pleas for help. Some messages use complex Unicode characters to bypass filters, while others impersonate major gaming and tech corporations to create a sense of urgency. Because the emails are sent from the authenticated domains of trusted companies, they frequently bypass traditional spam filters and land directly in the primary inboxes of recipients.

Despite the intrusive nature of the campaign, security experts and affected companies note that the emails generally do not contain malicious links or malware. Companies like 2K and Dropbox have issued statements explaining that their open support policies—intended to make it easy for customers to report bugs—were abused to facilitate this relay spam. They have assured users that no account data has been compromised and that no sensitive actions are taken based on these unauthenticated tickets.

Zendesk has responded to the situation by implementing new safety features, including enhanced monitoring and stricter limits on ticket creation to detect and stop unusual activity more quickly. The company had previously warned its clients about the potential for relay spam in late 2024, advising organizations to harden their systems. These security recommendations include requiring email verification before a ticket can be created and removing certain automated placeholders that allow attackers to control the content of the outgoing email.

Recipients of these emails are advised to remain calm and ignore the messages, as they are part of a widespread effort to cause confusion rather than a targeted security breach of their personal accounts. As more companies update their Zendesk configurations to restrict ticket creation to verified users, the volume of this specific spam wave is expected to subside. For now, the primary inconvenience remains the sheer number of notifications cluttering the digital workspaces of those targeted.

Source: Zendesk Ticket Systems Hijacked In Massive Global Spam Campaign