Zendesk Ticket Systems Hijacked: 2026 Relay Spam Disrupts Global Brands
Executive Summary
In January 2026, a massive global spam campaign exploited unsecured Zendesk support systems, enabling attackers to send hundreds of unsolicited emails to targets worldwide. By abusing the open ticket submission feature—allowing ticket creation from any email address without verification—attackers automated fake support requests to generate an overwhelming volume of confirmation emails. Major organizations including Discord, Tinder, Riot Games, Dropbox, and government agencies were impacted, with recipients receiving alarming and confusing messages that appeared to originate from legitimate support channels. No malicious payloads were identified, but the incident caused significant alarm, confusion, and business interruption for affected parties.
The heightened ability for attackers to manipulate trusted service communications underscores a growing threat of platform abuse, where legitimate systems are turned against users to bypass security controls and sow disruption. With organizations increasingly reliant on third-party SaaS for customer engagement, this incident illustrates how gaps in self-service security can have wide-reaching and highly visible effects.
Why This Matters Now
This incident highlights the urgent need for stronger authentication and anti-abuse controls in widely used SaaS platforms. As attackers shift from traditional malware to TTPs that exploit trust in cloud-based business tools, organizations must proactively secure communication channels to protect their brands and prevent service abuse at scale.
Attack Path Analysis
Attackers abused open Zendesk support forms that allowed unauthenticated users to submit tickets, triggering legitimate automated notifications to victims. No privileged access or escalation was observed, as attackers exploited flawed business logic rather than vulnerabilities. There was no evidence of lateral movement or further environment pivoting. Command and control activity was unnecessary, as automated responses served as the attack vector. Exfiltration did not occur, since no sensitive data was accessed or stolen. The core impact was business email spam disruption and confusion for end users stemming from misused notification workflows.
Kill Chain Progression
Initial Compromise
Description
Attackers leveraged unsecured Zendesk ticket submission portals, exploiting public forms that did not enforce user verification, in order to initiate thousands of fake support requests.
Related CVEs
CVE-2025-47456
CVSS 4.7An open redirect vulnerability in CRM Perks WP Gravity Forms Zendesk plugin allows unauthenticated attackers to redirect users to malicious sites, facilitating phishing attacks.
Affected Products:
CRM Perks WP Gravity Forms Zendesk – <= 1.1.2
Exploit Status:
no public exploitCVE-2025-24558
CVSS 6.1A reflected cross-site scripting (XSS) vulnerability in CRM Perks WordPress HelpDesk Integration plugin allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement.
Affected Products:
CRM Perks WordPress HelpDesk Integration – <= 1.1.5
Exploit Status:
no public exploitCVE-2025-32269
CVSS 4.3A cross-site request forgery (CSRF) vulnerability in CRM Perks WP Zendesk plugin allows attackers to perform unauthorized actions on behalf of authenticated users, potentially leading to privilege escalation.
Affected Products:
CRM Perks WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms – <= 1.1.3
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Compromise of Web-Based Infrastructure: Web Services
Data from Cloud Storage Object
Phishing: Spearphishing via Service
Modify Authentication Process
Obtain Capabilities: Code Signing Certificates
Network Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Implement Processes for Monitoring
Control ID: 10.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (EU Digital Operational Resilience Act) – ICT Security Policies and Procedures
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – User Authentication and Authorization
Control ID: Identity - Pillar 1.1
NIS2 Directive – Cybersecurity Risk-management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Zendesk customer service platform abuse creates massive spam waves, compromising email security and requiring enhanced egress filtering and policy enforcement controls.
Computer Games
Gaming companies like Discord, Riot Games, and CD Projekt suffered ticket system exploitation, enabling spam relay attacks bypassing traditional email security.
Financial Services
Customer support systems vulnerable to relay spam exploitation could enable sophisticated social engineering attacks and compliance violations requiring zero trust segmentation.
Government Administration
Tennessee state departments targeted in spam wave demonstrate government support systems' susceptibility to abuse, requiring multicloud visibility and anomaly detection capabilities.
Sources
- Zendesk ticket systems hijacked in massive global spam wavehttps://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/Verified
- Unsecured Zendesk systems fuel massive global spam wavehttps://www.scworld.com/brief/unsecured-zendesk-systems-fuel-massive-global-spam-waveVerified
- Zendesk Relay Spam Campaign - Ampcus Cyberhttps://www.ampcuscyber.com/shadowopsintel/zendesk-relay-spam-campaign/Verified
- Hackers are abusing Zendesk to run brand impersonation scamshttps://www.techradar.com/pro/security/hackers-are-abusing-zendesk-to-run-brand-impersonation-scamsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular application policy enforcement, and centralized visibility would have limited attack paths, ensured only verified users could submit support tickets, and provided rapid detection of anomalous automation abuse. Egress policy enforcement and inline controls could further mitigate downstream blast radius from exploited SaaS services.
Control: Zero Trust Segmentation
Mitigation: Only authenticated or trusted identities are permitted to submit tickets, blocking automated mass abuse.
Control: Zero Trust Segmentation
Mitigation: Limits access scope to only necessary resources, minimizing risk of pivot if further vulnerabilities existed.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal service access should attackers attempt movement beyond their allowed boundary.
Control: Multicloud Visibility & Control
Mitigation: Anomalous spikes in ticket submission and repetitive external automation are rapidly detected and flagged.
Control: Egress Security & Policy Enforcement
Mitigation: Unusual outbound traffic or unauthorized destinations from SaaS systems are constrained.
Inline policy enforcement and behavioral anomaly detection mitigate abuse before achieving large-scale impact.
Impact at a Glance
Affected Business Functions
- Customer Support
- Email Communications
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of customer email addresses and support ticket information due to unauthorized access and spam campaigns.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity verification and authentication for all externally-facing support and contact portals to reduce automated exploitation risk.
- • Implement application-layer zero trust segmentation policies to restrict access strictly to intended workflows, minimizing blast radius from logic abuse.
- • Adopt centralized visibility and anomaly detection solutions to rapidly surface abnormal activity and high-volume automation targeting SaaS systems.
- • Apply strict egress policy controls and outbound filtering to contain any potential downstream data loss or propagation if business logic flaws are exploited.
- • Regularly review SaaS platform configurations and employ runtime inline enforcement to prevent misconfiguration and relay abuse at scale.
