Executive Summary
In June 2024, multiple organizations using Zendesk experienced a widespread spam campaign that abused legitimate Zendesk instances to distribute malicious and unwanted emails. Attackers leveraged open or misconfigured support ticketing forms, submitting large volumes of spam through these systems. The CRM vendor Zendesk responded by assuring customers that the event was not tied to any software vulnerability or security breach within the platform itself. Business impact centered on increased phishing risk and operational noise in customer service channels, as well as potential reputational harm to affected brands.
This incident highlights a growing trend where attackers abuse trusted SaaS communication channels to bypass traditional email security filters. As threat actors increasingly focus on exploiting third-party platforms and automation, organizations face new challenges securing digital touchpoints against social engineering and spam-based threats.
Why This Matters Now
The abuse of legitimate SaaS platforms like Zendesk to distribute spam and phishing amplifies threats that evade perimeter defenses. With the acceleration of SaaS adoption and customer-facing digital transformation, organizations must act swiftly to address these blind spots in their security posture.
Attack Path Analysis
Attackers initiated a mass spam campaign by abusing Zendesk's email workflows, likely through open or unauthenticated support request mechanisms (Initial Compromise). No evidence suggests escalation of privileges beyond allowed SaaS interactions (Privilege Escalation). There was no lateral movement internally as the attack was focused on external spam proliferation. The attackers remotely managed their campaign using programmatic or automated traffic (Command & Control), but no data exfiltration or actual compromise of sensitive resources were detected (Exfiltration). The main impact was widespread delivery of spam emails, risking brand reputation and potential phishing exposure (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers exploited public support submission forms or ticket APIs in Zendesk to inject spam messages into workflows targeting user inboxes.
Related CVEs
CVE-2023-23716
CVSS 6.5Missing Authorization vulnerability in Zendesk Support for WordPress allows exploitation of incorrectly configured access control security levels.
Affected Products:
Zendesk Zendesk Support for WordPress – <= 1.8.4
Exploit Status:
no public exploitCVE-2024-12443
CVSS 5.4Stored Cross-Site Scripting vulnerability in CRM Perks – WordPress HelpDesk Integration plugin allows authenticated attackers to inject arbitrary web scripts.
Affected Products:
CRM Perks WordPress HelpDesk Integration – <= 1.1.6
Exploit Status:
no public exploitCVE-2025-32269
CVSS 4.3Cross-Site Request Forgery vulnerability in CRM Perks WP Zendesk plugin allows unauthorized changes to settings.
Affected Products:
CRM Perks WP Zendesk – <= 1.1.3
Exploit Status:
no public exploitCVE-2025-47456
CVSS 5.4Open Redirect vulnerability in CRM Perks WP Gravity Forms Zendesk plugin allows phishing attacks.
Affected Products:
CRM Perks WP Gravity Forms Zendesk – <= 1.1.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
MITRE ATT&CK techniques selected for SEO/filtering; future versions may include full STIX/TAXII enrichment based on advanced threat intelligence mapping.
Phishing
Compromise Infrastructure
Phishing for Information
Gather Victim Identity Information
Obtain Capabilities: Tool
Application Layer Protocol: Web Protocols
Brute Force: Credential Stuffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Email Security Controls
Control ID: 8.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9(1)
CISA ZTMM 2.0 – Email Security: Detect and Prevent Malicious Email
Control ID: 1.2.2
NIS2 Directive – Incident Handling and Response
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Zendesk spam attacks exploit CRM platforms widely used by software companies, compromising customer communications and requiring enhanced egress security controls.
Financial Services
Mass spam campaigns through trusted CRM systems threaten financial institutions' client relationships and compliance with HIPAA and PCI data protection requirements.
Health Care / Life Sciences
Healthcare organizations using Zendesk face elevated phishing risks through compromised customer service channels, violating HIPAA communication security standards potentially.
Professional Training
Training providers relying on CRM platforms for client engagement face reputational damage from spam attacks bypassing traditional email security measures.
Sources
- Mass Spam Attacks Leverage Zendesk Instanceshttps://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-instancesVerified
- Zendesk Users Targeted by Scattered Lapsus$ Hunters Hackers and Fake Support Siteshttps://www.techradar.com/pro/security/zendesk-users-targeted-by-scattered-lapsus-usd-hunters-hackers-and-fake-support-sitesVerified
- The Scattered Lapsus$ Hunters Group is Targeting Zendesk Customers – Here's What You Need to Knowhttps://www.itpro.com/security/cyber-attacks/the-scattered-lapsus-usd-hunters-group-is-targeting-zendesk-customers-heres-what-you-need-to-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, centralized network policy, and egress security controls would have limited SaaS automation abuse by restricting automated bot traffic, containing unauthorized flows, and providing real-time visibility into anomalous submissions. Inline controls and robust segmentation reduce attack surface and mitigate the risk of excess spam propagation.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline inspection would have identified high-volume, anomalous, or malformed external requests.
Control: Zero Trust Segmentation
Mitigation: Segmentation ensures only validated identities can access elevated SaaS functions.
Control: East-West Traffic Security
Mitigation: Internal movement between workloads and zones would have been detected and blocked.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility would have detected suspicious automation and repeated request patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data flows to unauthorized or non-whitelisted destinations would be blocked.
URL and traffic filtering reduces the ability for attackers to use cloud resources for spam or further attacks.
Impact at a Glance
Affected Business Functions
- Customer Support
- IT Helpdesk
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer support tickets, including sensitive user information and internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation across all user and workload access to SaaS endpoints.
- • Deploy real-time traffic visibility and anomaly detection for SaaS and automation abuse patterns.
- • Implement strict egress policies to prevent unauthorized outbound communications from cloud or SaaS services.
- • Leverage inline network security fabric to block high-volume automated or malformed request activity.
- • Regularly audit and harden public-facing workflow APIs to minimize abuse from unauthenticated sources.
