Your Inbox Is Under Attack — Even Trusted Support Emails Are Being Abused

Attackers exploited open customer support systems to send hundreds of confusing emails from legitimate brands worldwide

A widespread spam campaign has hit users around the world after attackers abused unsecured Zendesk customer support systems, causing victims to receive hundreds of automated emails from well-known companies within a short period.

The spam wave began around January 18, with users reporting inbox floods containing strange, misleading, and sometimes alarming subject lines. Although the emails did not include malicious links or clear phishing attempts, their sheer volume and confusing content caused widespread concern.

How the Zendesk Spam Abuse Worked

The campaign exploited a common Zendesk configuration that allows anyone to submit a support ticket without email verification. When a ticket is created, Zendesk automatically sends a confirmation email to the address provided by the submitter.

Attackers took advantage of this behavior by submitting large volumes of fake tickets using lists of email addresses. Each submission triggered an automated reply, effectively turning legitimate Zendesk instances into a relay-based spam engine.

Because the messages originated from real company support systems, most email security filters treated them as trusted traffic and delivered them directly to recipients’ inboxes.

Major Brands Unknowingly Used as Spam Senders

Researchers observed spam messages coming from Zendesk environments operated by a wide range of organizations, including Discord, Tinder, Riot Games, Dropbox, CD Projekt (2K), NordVPN, Kahoot, Headspace, and Lime, as well as U.S. government entities such as the Tennessee Department of Labor and the Tennessee Department of Revenue.

Several of these organizations later confirmed the abuse and clarified that recipients had not actually submitted support requests.

Confusing and Alarming Email Subjects

The spam emails featured chaotic subject lines designed to provoke curiosity or fear. Some impersonated legal or law-enforcement notices, while others offered fake promotions or used heavily stylized Unicode text.

Examples included messages claiming takedown orders, donation confirmations, law-enforcement alerts, free subscription offers, generic “Help Me!” requests, and even emails with empty subject lines.

While the emails themselves appeared harmless, their content and volume created uncertainty for recipients.

Why the Emails Were Hard to Block

Unlike traditional spam, these messages came from legitimate Zendesk infrastructure tied to trusted brands, allowing them to bypass common spam filtering rules.

Security researchers believe the campaign was more disruptive than malicious, likely designed to troll users or demonstrate how easily trusted SaaS platforms can be abused when misconfigured.

Responses from Companies and Zendesk

Several affected companies, including CD Projekt (2K) and Dropbox, responded publicly to reassure users that the emails could be ignored and that no customer accounts were at risk.

Zendesk acknowledged the abuse and stated that it has rolled out new safety features to better detect and limit relay spam activity. The company also reiterated earlier guidance urging customers to restrict ticket creation and require user verification.

What This Incident Highlights

This incident underscores how open SaaS configurations can quickly become attack infrastructure. Even without malware or phishing links, attackers can exploit automated workflows at scale when security controls are too permissive.

Key Takeaway

Trusted platforms can become powerful spam tools if left unsecured.
SaaS misconfiguration is now a real-world threat vector, not just a best-practice concern.