Abused Zendesk support portals fuel global spam surge

Unsecured customer support systems were used to generate large volumes of confusing automated emails worldwide.

What happened

A global spam wave began on January 18, 2026, after attackers exploited Zendesk support portals that allow unverified users to submit tickets. According to BleepingComputer, attackers created large numbers of fake support requests using lists of email addresses, triggering automated confirmation messages from legitimate company Zendesk instances. As a result, recipients received hundreds of emails with unusual or alarming subject lines, even though they never submitted a support request.

Going deeper

Zendesk platforms often allow anyone to submit a support ticket without creating or verifying an account. Attackers abused this feature by repeatedly submitting tickets on behalf of unrelated email addresses. Each submission caused Zendesk to send an automated reply confirming receipt of the ticket. Because the emails originated from real company domains and legitimate Zendesk infrastructure, they bypassed many spam filters. Affected organizations included Discord, Dropbox, Riot Games, NordVPN, Tinder, and multiple US state agencies. While the messages did not contain malicious links, their volume and misleading subject lines created confusion and concern among recipients.

What was said

Several companies confirmed that their customer support systems were abused to send unauthorized messages. In a response shared with recipients and cited by BleepingComputer, 2K, one of the companies affected by the campaign, said some users may have received messages tied to support tickets they did not create.

“You may have recently received an automated response or notification regarding a support ticket that you did not submit. We want to clarify why this might have happened and assure you there is no cause for concern,” the company wrote.

Zendesk also acknowledged the abuse. In comments to BleepingComputer, the company said, “We’ve introduced new safety features to address relay spam, including enhanced monitoring and limits designed to detect unusual activity and stop it more quickly,” and added, “We want to assure everyone that we are actively taking steps, and continuously improving, to protect our platform and users.” Zendesk has previously warned customers about this type of activity, describing the abuse as “relay spam.”

In the know

Zendesk was a target of other recent threats. According to reporting by Cybersecurity Dive, attackers were observed abusing compromised credentials and OAuth access to move laterally across Zendesk environments tied to customer support workflows. Researchers said the campaigns focused on harvesting support tickets, internal notes, and user data rather than deploying malware. Because the activity relied on legitimate access paths inside a trusted SaaS platform, it was harder to spot and didn’t trigger traditional intrusion alerts. The findings echo a broader pattern where attackers favor abusing business tools and identity access over exploiting software flaws, especially in environments that store sensitive customer or patient communications.

FAQs

Why did these emails bypass spam filters?

They were sent through legitimate Zendesk systems operated by real companies, which caused email providers to treat them as trusted traffic.

Did the spam contain malware or phishing links?

No. The messages did not include malicious links or attachments, but the content was misleading and disruptive.

How did attackers generate such high volumes of email?

They automated ticket submissions using large lists of email addresses, triggering confirmation emails for each entry.

What can companies do to prevent similar abuse?

They can require verified accounts for ticket creation, restrict subject field inputs, apply rate limits, and monitor for abnormal ticket activity.

Should recipients respond to or interact with the emails?

No. Recipients should ignore the messages and avoid replying, clicking links, or providing information.