Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Zendesk relay spam wave abusing fake support tickets

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A global spam wave is abusing Zendesk support systems to flood recipients with automated confirmation emails, bypassing spam filters and creating widespread confusion. The activity began on January 18 and relies on fake support tickets submitted through Zendesk's unverified-user workflow. Recipients have reported receiving hundreds of emails with bizarre subjects that appear designed to troll rather than phish. The breadth of the recipient pool and the repeated delivery pattern indicate a sustained campaign rather than isolated spam.

Related Happenings

Ongoing Dropbox credential-theft phishing campaign

Campaign
First: 03.02.2026 12:55 Last: 03.02.2026 12:55 Sources 1

About this happening: An **ongoing phishing campaign** is stealing **Dropbox credentials** from corporate users and can enable **account takeover** and follow-on fraud. The operation uses **urgent-busi...

Open Happening

Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model

Threat Actor Meta
First: 02.02.2026 18:15 Last: 02.02.2026 18:15 Sources 1

About this happening: **Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...

Open Happening

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
First: 28.01.2026 15:15 Last: 28.01.2026 15:15 Sources 1

About this happening: **Bizarre Bazaar** is an active **LLMjacking** campaign targeting **exposed LLM and MCP endpoints** to monetize unauthorized access to AI infrastructure. Researchers say the opera...

Latest development: 29.01.2026 20:37

Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

Open Happening

Multi-stage phishing campaign targeting users in Russia with Amnesia RAT and ransomware

Campaign
First: 24.01.2026 13:09 Last: 24.01.2026 13:09 Sources 1

About this happening: A **multi-stage phishing campaign** is targeting **users in Russia**, delivering **Amnesia RAT** and **ransomware** that enable **credential theft**, **remote control**, and destr...

Open Happening

ShinyHunters Salesforce extortion campaign against global companies in 2025

Campaign
First: 15.01.2026 17:45 Last: 15.01.2026 17:45 Sources 1

About this happening: The **ShinyHunters** campaign now includes a **Qantas** breach disclosed after the airline found a **June 30, 2025** intrusion in a **third-party platform** used by one customer s...

Open Happening

Timeline

  1. 22.01.2026 01:46 1 articles · 4mo ago

    Zendesk relay spam wave begins on January 18

    Initial Disclosure

    People worldwide begin receiving a massive spam wave on January 18 after attackers abuse Zendesk support systems by submitting fake tickets through an unverified-user workflow, which triggers automated confirmation emails to attacker-supplied addresses and leaves recipients with hundreds of strange and sometimes alarming messages.

    Show sources
    Open in new tab
  2. 22.01.2026 01:46 2 articles · 4mo ago

    Zendesk and customers respond to relay spam abuse

    Mitigation Patch Update

    By January 21, multiple companies including Dropbox and 2K confirm their Zendesk instances were affected and tell recipients not to worry about the emails, while Zendesk says it has introduced new safety features to detect and stop relay spam and notes that it had previously warned customers in a December advisory about the same abuse pattern.

    Show sources
    Open in new tab