Executive Summary

A critical exploitation vector has emerged targeting Zendesk customer service platforms, wherein threat actors leverage lax authentication configurations to orchestrate large-scale “email bomb” attacks. By exploiting the default or permissive settings that allow anonymous ticket creation and unverified email addresses, adversaries can automate the submission of thousands of support tickets using a victim’s email address. This results in the victim’s inbox being inundated with legitimate-looking notifications from a multitude of reputable brands, effectively masking important communications and facilitating further malicious activity. The attack is not a vulnerability in the Zendesk codebase itself, but rather an abuse of misconfigured workflows and insufficient verification controls. This advisory provides a comprehensive technical analysis, threat actor profiling, real-world exploitation evidence, and actionable mitigation strategies to safeguard organizations and their customers.

Threat Actor Profile

The primary threat actors exploiting this Zendesk configuration weakness are opportunistic cybercriminals, harassment groups, and potentially financially motivated fraudsters. These actors are characterized by their use of automation tools and scripts to submit mass volumes of support tickets across multiple Zendesk instances. Their objectives range from targeted harassment and reputational damage to more sophisticated schemes such as obfuscating legitimate security alerts (e.g., bank fraud notifications) or facilitating account takeovers by drowning out password reset emails. While there is no direct attribution to advanced persistent threat (APT) groups at this time, the tactics, techniques, and procedures (TTPs) align with those observed in carding forums, doxxing campaigns, and coordinated harassment operations. The distributed nature of the attack—leveraging many Zendesk customer domains simultaneously—complicates attribution and takedown efforts.

Technical Analysis of Malware/TTPs

The exploitation hinges on the configuration of Zendesk support portals that permit ticket creation by unauthenticated or unverified users. Attackers utilize automated scripts or bots to submit thousands of tickets, each using the victim’s email address as the submitter. When the Zendesk instance is configured to send auto-responder notifications upon ticket creation, the victim receives a deluge of emails from the support addresses of various legitimate organizations, such as help@washpost.com (The Washington Post), support@nordvpn.com (NordVPN), support@discord.com (Discord), and support@tinder.com (Tinder), among others.

The attack is further amplified by the ability to customize the subject and body of the ticket, enabling the attacker to inject threats, insults, or misleading information. The emails are sent from the actual support domains of the affected organizations, not from Zendesk itself, which makes filtering and attribution significantly more challenging. The distributed, multi-tenant nature of the attack—wherein dozens or hundreds of Zendesk customers are abused in parallel—results in a “many-against-one” scenario that can overwhelm even well-defended inboxes.

From a technical perspective, the root cause is the absence of robust verification mechanisms for ticket submitters, insufficient rate-limiting, and the default enablement of auto-responder triggers. There is no evidence of malware deployment in this attack chain; rather, the exploitation is a form of application-layer abuse leveraging legitimate SaaS infrastructure.

The attack maps to several MITRE ATT&CK techniques, including T1585.002 (Compromise Infrastructure: Email Accounts), T1566.002 (Phishing: Spearphishing via Service), and T1498 (Network Denial of Service, specifically email bombing as a DoS vector).

Exploitation in the Wild

The exploitation of Zendesk’s lax authentication has been observed in high-profile incidents, most notably targeting security journalist Brian Krebs, who received thousands of ticket creation notifications from dozens of major brands’ Zendesk instances within hours. The emails originated from customer domains, not from Zendesk itself, complicating both filtering and incident response. The attack was highly distributed, leveraging the support portals of numerous organizations simultaneously.

Victims have included journalists, security researchers, and potentially individuals targeted for financial fraud. The attack’s utility in obscuring legitimate communications—such as fraud alerts or password reset emails—makes it particularly dangerous for individuals at risk of account compromise or financial theft. The abuse has also resulted in reputational damage for organizations whose Zendesk instances were weaponized, as their support infrastructure was used to harass or disrupt third parties.

There is no evidence to suggest that a specific Zendesk product version is immune; the exploit is configuration-dependent and affects all cloud/SaaS instances where anonymous ticket creation and auto-responder notifications are enabled.

Victimology and Targeting

The primary targets of these email bomb attacks are individuals with high public profiles, such as journalists, security researchers, and executives, as well as individuals who may be at risk of financial fraud or targeted harassment. The attack is opportunistic and can be launched against any email address, but the impact is magnified when the victim relies on email for critical communications, such as receiving security alerts or transactional notifications.

Organizations whose Zendesk instances are abused in these attacks also suffer collateral damage, including brand reputation harm, increased support workload, and potential loss of customer trust. The distributed nature of the attack means that a single victim may receive emails from dozens or hundreds of unrelated brands, each of which may be unaware that their support infrastructure is being misused.

Mitigation and Countermeasures

To mitigate the risk of Zendesk-based email bomb attacks, organizations must enforce strict authentication and verification controls on their support portals. Specifically, Zendesk customers should require email verification for ticket creation, disable anonymous ticket submission unless absolutely necessary, and review all auto-responder triggers to ensure they are not enabled by default. Implementing rate-limiting and CAPTCHA mechanisms on ticket submission forms can further reduce the risk of automated abuse.

Organizations should monitor for abnormal spikes in ticket creation and audit their support workflows for potential abuse vectors. Security teams should establish inbox rules to filter or quarantine mass ticket notifications and coordinate with abused brands to report incidents and request remediation.

For individuals at risk, setting up robust email filtering rules and maintaining alternative communication channels for critical alerts is recommended. Organizations should also educate their support staff on the risks of misconfiguration and the importance of regular security reviews.

Zendesk has acknowledged the abuse and recommends that customers permit only verified users to submit tickets. The vendor is actively investigating additional preventive measures, but the onus remains on customers to configure their instances securely.

References

KrebsOnSecurity: Email Bombs Exploit Lax Authentication in Zendesk

Hacker News Discussion: https://news.ycombinator.com/item?id=45615449

Slashdot Coverage: https://it.slashdot.org/story/25/10/17/2333255/email-bombs-exploit-lax-authentication-in-zendesk

Zendesk Security Best Practices: https://support.zendesk.com/hc/en-us/articles/4408889197850-Security-best-practices-for-Zendesk

MITRE ATT&CK: T1585.002, T1566.002, T1498

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire vendor ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to identify emerging threats, enforce best practices, and maintain robust security postures in an ever-evolving digital landscape. For more information or to discuss how we can help secure your organization, we are happy to answer questions at ops@rescana.com.