Cybercriminals are actively exploiting a configuration weakness in thousands of customer support portals powered by Zendesk to conduct large-scale email bomb attacks. An email bomb is the act of sending a massive volume of messages to a single email address, overwhelming the inbox and hiding legitimate, time-sensitive alerts, such as notifications about a security breach or fraudulent transaction.

The attacks specifically leverage Zendesk instances that have lax authentication settings for new user creation. The perpetrators automate the process of signing up a target’s email address for new accounts on these misconfigured support portals. This tactic succeeds because many companies using Zendesk have not enabled features that would verify the user before an account is created.

How the Zendesk Exploit Works

The core of the issue lies in Zendesk’s default functionality, which allows for the creation of a new user account simply by sending an email to a company’s support address. When an attacker sends an email using the target’s address to one of these portals, the system automatically registers a new user. If that portal is also configured to send an automated ‘Welcome’ or ‘Account Created’ email, a message is immediately dispatched to the target’s inbox.

By repeating this process across thousands of different misconfigured Zendesk installations, attackers can trigger a flood of legitimate welcome emails from a wide variety of sources. This deluge of messages effectively buries any critical emails the target might otherwise see, serving as a distraction for other malicious activity targeting the victim’s accounts.

Misconfiguration, Not a Software Vulnerability

This attack vector is not the result of a software vulnerability within Zendesk’s platform itself, but rather the abuse of its intended functionality due to insecure customer configurations. The lack of mandatory user verification, such as CAPTCHA or a confirmation link click, before account creation is the central weakness being exploited. Zendesk has provided guidance to its customers on how to secure their portals against this type of abuse. The recommended mitigations include requiring users to register and sign in before they can submit support tickets or enabling more robust authentication checks for new user sign-ups.

Source: https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-in-zendesk/