Cybercriminals have discovered a gap in Zendesk’s ticket submission process and are using it to bombard victims with waves of misleading support messages.
When configured to accept anonymous requests, however, the service can be abused to generate email floods that appear to come from legitimate corporate domains.
Earlier this week, security blogger Brian Krebs was the target of this campaign, receiving thousands of rapid-fire email alerts from more than 100 different Zendesk customers.
The flood included notifications supposedly sent by well-known brands such as NordVPN, CompTIA, Tinder, The Washington Post, Discord, GMAC, and CapCom, as reported by KrebsOnSecurity.
Each alert bore the branding and reply-to address of the customer, making it almost impossible to distinguish the spam from genuine ticket notifications.
Anonymous ticket creation enables mass impersonation
According to Zendesk communications director Carolyn Camoens, the platform allows some customers to accept support requests without prior verification.
“These types of support tickets can be part of a customer’s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,” she explained.
Companies may choose this setting to reduce friction for users, but it also means anyone can specify any email address and subject line when opening a new ticket.
By combining anonymous submission with the auto-responder trigger for ticket creation, attackers can craft their own subject lines and force Zendesk to send confirmation messages from the customer’s domain.
Victims see legitimate corporate branding and a familiar reply-to address, such as help@washpost.com, even though the message was generated by a malicious actor.
Replies to these messages go back to the legitimate customer support inbox, spreading the illusion of a valid support case.
“We recognize that our systems were leveraged against you in a distributed, many-against-one manner,” said Camoens.
Zendesk is now investigating additional safeguards and advising customers to adopt authenticated ticket workflows that require users to verify their email addresses before auto-responders are triggered.
Until more robust measures are in place, Zendesk customers are urged to adjust their settings to block anonymous ticket creation or to require verification steps such as email confirmations or CAPTCHA challenges.
Failing to validate requesters opens the door to spammers and perceived legal threats that can tarnish a company’s reputation and overwhelm inboxes.
This abuse highlights how automated support tools, when misconfigured, can become a powerful instrument for harassment.
Organizations using Zendesk and similar platforms should review their ticket submission policies today to prevent ne’er-do-wells from weaponizing their own systems against unsuspecting recipients.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
