Zendesk in the eye of the hurricane: how the spam of automatic responses inunda trays of entry worldwide

Since January 18, thousands of people around the world have started to receive waves of strange and repetitive emails that, at first sight, appear to come from legitimate companies. This is not an isolated failure or a traditional virus, but a massive abuse of customer care systems using Zendesk: attackers create false tickets by introducing foreign mail addresses, and the automatic response mechanism of these platforms itself constantly triggers confirmations.

Public information about this phenomenon began to circulate on social networks, with users showing entry trays stacked from messages with disconcerting issues. Experts and journalists from the sector collected these testimonies and published research explaining the mechanism behind the problem. A technical and follow-up summary appeared in BleepingComputer, and security professionals like Troy Hunt and other community members shared evidence in their accounts of X and in networks.

What distinguishes this campaign from a conventional spam is that messages seem to come from real corporate domains and support systems, which makes it easier for them to draw out the trash mail filters. Even so, in the vast majority of cases there are no links or malicious files intended to scam or install software: the apparent intention is to generate noise and confusion rather than steal credentials. Post affairs are deliberately provocative, imitate legal or content withdrawal notifications, or promise supposed promotions like "Free Nitro Discord," and often use Unicode characters to adorn or distort the text.

Organizations whose Zendesk bodies were identified as broadcasters of these automatic responses include recognized digital and entertainment world names: messaging platforms and games, cloud storage services, security companies and public agencies. Some companies concerned have responded publicly to users explaining that these are automatic responses to tickets that were not generated by account creditors and calling for those messages to be ignored.

Zendesk had already warned in December about a similar type of abuse, which he called "relay spam," and published recommendations to mitigate risk. In its technical documentation it explains that allowing the creation of tickets from unverified users facilitates this attack vector and suggests measures such as restricting who can send requests and removing fields or templates that accept unvalidated addresses or issues. The Zendesk note is available at your help centre at support.zendesk.com as well as practical guides to harden the configuration in Permitting only added users to submit tickets and tips to combat spam.

From the platform, Zendesk stated that it has deployed additional safeguards to detect and stop this unusual type of activity, implementing stricter limits and monitoring to stop the shipping peaks. However, the practical responsibility lies with the companies that make up these systems: many opt for open policies that facilitate contact, but such openness can also be exploited by those who have large-scale mailing lists.

For those who have received these waves the main recommendation is to keep calm: there is no evidence that the messages contain phishing links or files committed in this particular campaign, and the companies concerned insist that no access to user accounts or changes in services has occurred without authorization. However, it is appropriate to extend the usual caution with any unexpected mail - do not click suspicious links, check the sender carefully and remove redundant messages - and, if you have any doubt, contact the company directly through its official channels rather than respond to the message received.

On the organizational level, the lesson is clear: "comfort" should not mean exposure. Support and safety teams should review their ticket flows, limit automatic creation from unverified directions and audit templates and placeholders that allow for the issuance of unchecked notifications. This change in configuration policies, coupled with Zendesk's improved platform detection, significantly reduces the ability to convert a legitimate service into a spam machine.

This episode recalls that the infrastructures we use daily can become unexpected vectors when combining permissive configurations and actors that seek to cause large-scale discomfort. Keeping informed, implementing supplier safety recommendations and validating changes in the way automatic care systems respond are essential steps to prevent digital noise from polluting legitimate communication between companies and users. To follow the technical coverage and updates on this incident, BleepingComputer has posted case follow-up on its site: BleepingComputer - Security, and Zendesk's own support pages contain the official instructions mentioned above.