Zendesk Instances Leveraged in Mass Spam Campaigns

Zendesk Spam Hints at Possible Relay Attacks

Zendesk, a popular CRM vendor, is experiencing a surge in spam emails originating from legitimate customer help desk instances, impacting numerous users. Reports indicate attackers are exploiting misconfigured email servers to relay spam, bypassing typical email filters, with one user reporting receiving 800 such emails.

Why This Matters

The reliance on CRM systems like Zendesk creates a single point of potential abuse for spammers, turning trusted domains into sources of malicious content. This undermines email trust and can lead to credential harvesting or malware distribution, costing organizations reputation damage and potential financial losses due to successful phishing attacks. The ideal model assumes secure server configurations, but widespread misconfigurations are a common reality.

Key Insights

• Relay spam attacks are not new: Zendesk issued an advisory regarding relay spam in December 2025.
• Abuse of help desks: Attackers exploit help desks to send spam messages, framing the target as the sender of the inquiry.
• Threat actor interest: Scattered Lapsus$ Hunters were observed preparing potential campaigns against Zendesk environments in November 2025.

Working Example

(No code provided in source text)

Practical Applications

• Use Case: ElevenLabs experienced a mass spam attack on its email ticketing system, requiring collaboration with Zendesk for resolution.
• Pitfall: Leaving default Zendesk configurations, such as unrestricted first-reply triggers, can allow unauthorized users to submit tickets and send spam.

References:

• https://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-instances