Users worldwide are reporting an unusual wave of spam emails arriving not from shady domains, but from legitimate customer support addresses belonging to companies that use the Zendesk helpdesk platform. Many recipients are receiving dozens or even hundreds of automated notifications with bizarre or alarming subjects, creating serious disruption even though the messages typically contain no obvious malware or traditional phishing links.
Global Zendesk Spam Wave: What Changed
According to user reports and industry coverage, the large-scale spam campaign began around 18 January, when social networks started to fill with complaints about an unexpected “flood” of support notifications. The emails are technically legitimate auto-replies generated by real organizations’ support systems, not classic spam sent from disposable or compromised domains.
This makes the campaign particularly problematic: mail gateways treat these messages as normal transactional emails, yet the abnormal volume and attention-grabbing content make them look and feel like an active attack to end users.
How Attackers Abuse Zendesk Forms for Relay Spam
Open ticket creation without email verification
Many organizations using Zendesk allow anyone to open a support ticket without creating an account or confirming ownership of an email address. This is designed to reduce friction for legitimate customers: a user simply enters an email address and a message, and the system generates a ticket.
Attackers are exploiting exactly this feature. They submit large numbers of requests through these open web forms, but instead of their own email, they paste long lists of victim addresses. Zendesk then automatically creates tickets and sends confirmation or status emails to every address supplied. At scale, this turns Zendesk-powered helpdesks into high‑reputation “relays” for spam.
Why these emails bypass spam filters
Modern spam filters heavily rely on domain reputation, correct SPF/DKIM/DMARC configuration, and sender history. In this case, the senders are well-known brands and Zendesk’s own infrastructure, which generally maintain a strong reputation and standards-compliant email authentication.
As a result, mail gateways classify these messages as trusted transactional traffic rather than unsolicited bulk email. Technically, this is a textbook example of relay spam: instead of sending spam directly, the attacker leverages a reputable third-party system to distribute their messages.
Who Is Affected: From Gaming Platforms to Government Agencies
Reportedly affected support systems include services such as Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Lightspeed, CTL, Kahoot, Headspace, Lime, and even labor and tax departments in the US state of Tennessee. The campaign spans gaming, SaaS providers, fintech, consumer apps, and public-sector entities.
Available evidence does not indicate a breach of these organizations’ internal infrastructure. The abuse targets publicly exposed Zendesk functionality that is behaving as configured, but without sufficient rate limiting, validation, or anti‑automation controls.
Nature of the Spam: Emotional Hooks and Fake Official Requests
Subject lines observed in the campaign range from “Help me!” or “Emergency” to fake law enforcement requests, alleged content takedown notices, and offers such as “free Discord Nitro.” Many messages use Unicode symbols, bold formatting, and multiple languages to stand out in crowded inboxes.
Even without embedded malware, this technique generates significant “signal noise,” overwhelms inboxes, and can pressure recipients into impulsive actions—such as hastily clicking links or replying to emails that appear urgent or official.
Response from Zendesk and Impacted Organizations
Several organizations, including Dropbox and 2K, have confirmed that their support systems were abused in this way and have advised users to ignore any support emails that they did not initiate. They emphasize that account changes or sensitive requests are not processed without strong verification of account ownership.
Zendesk has announced enhanced protections against relay spam, including expanded monitoring, stricter ticket creation limits, and behavioral analytics to detect and block anomalous activity more quickly. The company also recommends that customers:
• Restrict ticket creation to verified users. Enable mandatory email verification or require authentication via a customer account before opening tickets.
• Limit attacker-controlled fields. Remove or constrain placeholders and custom fields that let untrusted users freely set subjects, display names, or “from” data.
• Implement bot protection and rate limiting. Use CAPTCHA, IP/domain throttling, and per-user rate limits to control automated submissions.
Why Helpdesk Relay Spam Is a Strategic Security Risk
Industry studies, including reports from Statista, consistently show that spam accounts for roughly 45–50% of global email traffic. Attackers continuously search for high‑reputation channels to evade filters. Abusing helpdesk platforms is especially dangerous because it piggybacks on users’ trust in known brands and official support channels.
While the current campaign appears mostly nuisance-oriented, the same technique could be repurposed for targeted phishing, business email compromise, or social engineering. Once users are conditioned to receiving frequent, odd-looking support messages, slipping in a malicious link or fraudulent request becomes easier.
At the same time, these campaigns allow attackers to validate active email addresses, observe delivery patterns, and probe how different providers’ spam filters behave—data that can significantly sharpen later, more sophisticated attacks.
For organizations, this incident underscores that any public customer interaction interface—contact forms, support portals, feedback widgets—must be treated as a potential attack vector, not just mail servers or main websites.
To reduce risk, organizations using Zendesk or similar platforms should conduct a thorough review of ticket-creation workflows, enforce multi-layered abuse protections, and regularly analyze activity logs for anomalous submission patterns. End users should approach unexpected support notifications cautiously: avoid clicking links in unsolicited messages, verify any real cases through official apps or account dashboards, and mark suspicious emails as spam or report them to their provider. Strengthening security at both the organizational and user levels is essential to prevent today’s nuisance relay spam from becoming tomorrow’s high‑impact phishing vector.
