https://securereading.com/zendesk-support-spam-campaign/
A widespread spam campaign exploited unsecured Zendesk customer support systems to flood users worldwide with hundreds of automated emails from legitimate companies beginning around January 18. Attackers abused a common Zendesk configuration that permits anyone to submit support tickets without email verification, submitting massive volumes of fake tickets using harvested email address lists. Each fraudulent submission triggered automated confirmation emails, effectively transforming trusted corporate Zendesk instances into relay-based spam engines that bypassed conventional email security filters because messages originated from authentic company support infrastructure.
Major organisations unknowingly became spam distribution channels, including Discord, Tinder, Riot Games, Dropbox, CD Projekt, NordVPN, Kahoot, Headspace, and Lime, along with government entities such as the Tennessee Department of Labor and Tennessee Department of Revenue. The spam emails featured chaotic and alarming subject lines designed to provoke curiosity or fear, including impersonated legal notices, fake law enforcement alerts, donation confirmations, promotional offers, and heavily stylised Unicode text. While the messages contained no malicious links or traditional phishing attempts, their volume and confusing content created widespread uncertainty among recipients who struggled to determine whether the communications were legitimate.
Zendesk acknowledged the abuse and announced deployment of new safety features to detect and limit relay spam activity, while reiterating guidance urging customers to restrict ticket creation and require user verification. Several affected companies including CD Projekt and Dropbox publicly reassured users that emails could be ignored and no customer accounts were compromised. Security researchers characterise the incident as more disruptive than malicious, likely intended to demonstrate how trusted SaaS platforms can be weaponised when misconfigured, highlighting that open cloud service configurations can rapidly become attack infrastructure even without malware deployment.