CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Zendesk Platform Abused for Email Flood Attacks

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Cybercriminals have exploited lax authentication settings in Zendesk to flood targeted email inboxes with spam messages. The attacks use hundreds of Zendesk corporate customers simultaneously, sending notifications from customer domain names. Zendesk acknowledged the issue and is investigating additional preventive measures. The abuse involves sending ticket creation notifications from customer accounts that allow anonymous submissions. This allows attackers to create support tickets with any chosen subject line, including menacing or insulting messages. The notifications appear to come from legitimate customer domains, making them harder to filter out. The spam wave started on January 18th, 2026, with victims reporting receiving hundreds of emails. Companies impacted include Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime. Zendesk has introduced new safety features to detect and stop this type of spam in the future. A fresh wave of spam hit inboxes worldwide on February 4th, 2026, with users reporting being bombarded by automated emails generated through companies' unsecured Zendesk support systems. The emails had subject lines such as 'Activate your account' and similar support-style notifications appearing to originate from different companies.

Timeline

  1. 05.02.2026 12:22 1 articles · 12h ago

    Zendesk spam wave returns with 'Activate account' emails

    A fresh wave of spam hit inboxes worldwide on February 4th, 2026, with users reporting being bombarded by automated emails generated through companies' unsecured Zendesk support systems. The emails had subject lines such as 'Activate your account' and similar support-style notifications appearing to originate from different companies. The activity strongly suggests attackers are once again abusing Zendesk ticket submission forms to trigger confirmation emails to large lists of addresses. The renewed activity suggests attackers may still be able to abuse exposed Zendesk ticket portals despite the safeguards introduced earlier this year.

    Show sources
    Open in new tab
  2. 17.10.2025 14:26 3 articles · 3mo ago

    Zendesk Platform Abused for Email Flood Attacks

    Cybercriminals exploited lax authentication settings in Zendesk to flood targeted email inboxes with spam messages. The attacks use hundreds of Zendesk corporate customers simultaneously, sending notifications from customer domain names. Zendesk acknowledged the issue and is investigating additional preventive measures. The abuse involves sending ticket creation notifications from customer accounts that allow anonymous submissions. This allows attackers to create support tickets with any chosen subject line, including menacing or insulting messages. The notifications appear to come from legitimate customer domains, making them harder to filter out. The spam wave started on January 18th, 2026, with victims reporting receiving hundreds of emails. Companies impacted include Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime. Zendesk has introduced new safety features to detect and stop this type of spam in the future.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Multi-stage Phishing Campaign Targets Dropbox Corporate Credentials

A sophisticated phishing campaign uses multi-stage techniques to evade detection and steal Dropbox credentials from corporate users. The attack begins with phishing emails claiming urgent business matters, containing PDF attachments with hidden malicious links. These links lead to a spoofed Dropbox login page, where entered credentials are exfiltrated to attacker-controlled Telegram channels. The campaign leverages legitimate cloud infrastructure to bypass security checks and manipulate users into providing their credentials.

Open in new tab

Phishing Campaign Targets LastPass Users with Fake Maintenance Messages

LastPass has identified an active phishing campaign impersonating the service to trick users into revealing their master passwords. The campaign, which began around January 19, 2026, uses phishing emails with urgent subject lines to direct users to a fake phishing site. LastPass emphasizes it will never ask for master passwords and is working to take down the malicious infrastructure. The phishing emails claim upcoming maintenance and urge users to create a local backup of their password vaults within 24 hours. The emails originate from several fraudulent email addresses and direct users to a phishing site that redirects to a domain mimicking LastPass. The campaign was launched during a holiday weekend in the United States to catch LastPass understaffed and less prepared for a prompt response. This campaign follows a previous information-stealing campaign targeting macOS users through fake GitHub repositories and another phishing campaign in October 2025 that used fake death claims to trigger a legacy inheritance process. LastPass has 33 million users and over 100,000 business customers. A cyber-attack in 2022 saw attackers steal parts of LastPass source code, along with proprietary technical information.

Open in new tab

LinkedIn Phishing Campaign Uses Open-Source Pen Testing Tool to Target Business Executives

A phishing campaign on LinkedIn exploits an open-source penetration testing tool to distribute a Remote Access Trojan (RAT) to high-value targets, including business executives and IT administrators. The attack begins with a phishing link sent via private messages, which contains a malicious WinRAR self-extracting archive. This archive extracts a legitimate PDF reader alongside a malicious DLL file, using DLL sideloading to evade detection and achieve persistence on the victim's system. The campaign highlights the growing threat of phishing attacks via social media platforms, which often remain overlooked in corporate security strategies.

Open in new tab

86% Increase in Fake Delivery Websites Targeting Holiday Shoppers

An 86% surge in malicious postal service websites has been observed over the past month, heightening risks for consumers tracking holiday deliveries. Cybercriminals are exploiting the holiday shopping rush by sending convincing phishing messages mimicking legitimate delivery companies, often warning of delayed or suspended packages. These scams, primarily delivered via text message or email, aim to steal personal or financial information by tricking users into clicking malicious links.

Open in new tab

OAuth Device Code Phishing Campaigns Target Microsoft 365 Accounts

A surge in phishing campaigns exploiting Microsoft’s OAuth device code authorization flow has been observed, targeting Microsoft 365 accounts. Both state-aligned and financially motivated actors are using social engineering to trick users into approving malicious applications, leading to account takeover and data theft. The attacks leverage the OAuth 2.0 device authorization grant, a legitimate process designed for devices with limited input capabilities. Once victims enter a device code generated by an attacker-controlled application, the threat actor receives a valid access token, granting control over the compromised account. The campaigns use QR codes, embedded buttons, and hyperlinked text to initiate the attack chain, often claiming to involve document sharing, token reauthorization, or security verification. The growth of these campaigns is linked to readily available phishing tools like SquarePhish2 and Graphish, which simplify device code abuse and require limited technical skill. Proofpoint observed financially motivated actor TA2723 and Russia-linked group UNK_AcademicFlare adopting this technique, targeting various sectors in the US and Europe. Organizations are advised to strengthen OAuth controls and train users to avoid entering device codes from untrusted sources. The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare. The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe. The adversary claims to share a link to a document that includes questions or topics for the email recipient to review before the meeting. The URL points to a Cloudflare Worker URL that mimics the compromised sender's Microsoft OneDrive account and instructs the victim to copy the provided code and click 'Next' to access the supposed document. Device code phishing was documented in detail by both Microsoft and Volexity in February 2025, attributing the use of the attack method to Russia-aligned clusters such as Storm-2372, APT29, UTA0304, and UTA0307. The October 2025 campaign is assessed to have been fueled by the ready availability of crimeware offerings like the Graphish phishing kit and red-team tools such as SquarePhish. To counter the risk posed by device code phishing, the best option is to create a Conditional Access policy using the Authentication Flows condition to block device code flow for all users. If that's not feasible, it's advised to use a policy that uses an allow-list approach to allow device code authentication for approved users, operating systems, or IP ranges.

Open in new tab