Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk<\/strong> to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.<\/p>\n Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom<\/strong>, CompTIA<\/strong>, Discord<\/strong>, GMAC<\/strong>, NordVPN<\/strong>, The Washington Post<\/strong>, and Tinder<\/strong>.<\/p>\n The abusive missives sent via Zendesk\u2019s platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com, or else contained personal insults.<\/p>\n Moreover, the automated messages that are sent out from this type of abuse all come from customer domain names \u2014 not from Zendesk. In the example below, replying to any of the junk customer support responses from The Washington Post\u2019s Zendesk installation shows the reply-to address is help@washpost.com.<\/p>\n One of dozens of messages sent to me this week by The Washington Post.<\/p>\n<\/div>\n Notified about the mass abuse of their platform, Zendesk said the emails were ticket creation notifications from customer accounts that configured their Zendesk instance to allow anyone to submit support requests \u2014 including anonymous users.<\/p>\n \u201cThese types of support tickets can be part of a customer\u2019s workflow, where a prior verification is not required to allow them to engage and make use of the Support capabilities,\u201d said Carolyn Camoens<\/strong>, communications director at Zendesk. \u201cAlthough we recommend our customers to permit only verified users to submit tickets, some Zendesk customers prefer to use an anonymous environment to allow for tickets to be created due to various business reasons.\u201d<\/p>\n Camoens said requests that can be submitted in an anonymous manner can also make use of an email address of the submitter\u2019s choice.<\/p>\n \u201cHowever, this method can also be used for spam requests to be created on behalf of third party email addresses,\u201d Camoens said. \u201cIf an account has enabled the auto-responder trigger based on ticket creation, then this allows for the ticket notification email to be sent from our customer\u2019s accounts to these third parties. The notification will also include the Subject added by the creator of these tickets.\u201d<\/p>\n Zendesk claims it uses rate limits to prevent a high volume of requests from being created at once, but those limits did not stop Zendesk customers from flooding my inbox with thousands of messages in just a few hours.<\/p>\n \u201cWe recognize that our systems were leveraged against you in a distributed, many-against-one manner,\u201d Camoens said. \u201cWe are actively investigating additional preventive measures. We are also advising customers experiencing this type of activity to follow our general security best practices and configure an authenticated ticket creation workflow.\u201d<\/p>\n In all of the cases above, the messaging abuse would not have been possible if Zendesk customers validated support request email addresses prior to sending responses. Failing to do so may make it easier for Zendesk clients to handle customer support requests, but it also allows ne\u2019er-do-wells to sully the sender\u2019s brand in service of disruptive and malicious email floods.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/10\/zendeskwapo.png?resize=749%2C362&ssl=1\")
<\/p>\n