Widespread Abuse of Unverified Support Tickets

Cybercriminals have found a way to weaponize the popular customer service platform Zendesk, launching massive email bombing campaigns by exploiting a common configuration weakness. The attack method allows malicious actors to flood a target’s inbox with thousands of automated support ticket notifications that appear to come from hundreds of legitimate corporate brands, including well-known names like Discord, The Washington Post, and NordVPN.

The core of the issue lies not in Zendesk’s platform itself, but in how its corporate customers configure their support portals. Many companies allow anyone, including anonymous users, to submit a support request without first verifying their email address. Attackers abuse this by programmatically submitting countless tickets across hundreds of different company portals, all using the victim’s email address as the submitter.

Lax Authentication Enables Harassment

Each time a ticket is submitted, the company’s Zendesk instance automatically sends a “ticket created” notification to the email address provided. Because the emails are sent directly from the company’s domain (e.g., support@company.com), they bypass spam filters and appear legitimate. This distributed technique allows attackers to rapidly overwhelm an inbox with messages containing harassing or menacing subject lines of their choosing.

In a statement, Zendesk acknowledged the abuse and confirmed it stems from customers who choose to allow unverified ticket submissions for their own business reasons. While the company recommends its clients configure an authenticated workflow, it is not a mandatory setting. Zendesk stated its rate-limiting systems were ineffective against this distributed attack and that it is investigating additional preventive measures. Ultimately, this incident highlights the security risks of failing to validate user email addresses before sending automated communications.