Zendesk Instances Exploited in Widespread Spam Campaign
A surge of spam emails originating from legitimate Zendesk domains has raised concerns among cybersecurity experts and affected organizations. Multiple users reported receiving unsolicited messages often disguised as legal notices, bogus lawsuits, or government alerts from Zendesk instances tied to major companies, including Live Nation, Capcom, Tinder, and AI research firm ElevenLabs.
The attacks appear to stem from two potential vectors: attackers abusing help desk systems to relay spam by impersonating users, or misconfigurations in Zendesk’s email infrastructure. Some emails bypassed spam filters, including iCloud’s, while others targeted users who had never interacted with the services in question. The goal, as with most spam campaigns, is to harvest credentials, gain initial access, or extort payments.
Zendesk acknowledged the issue but clarified that it was not the result of a software vulnerability or breach. The company advised users to ignore or delete suspicious emails and recommended customers adjust first-reply triggers and restrict ticket submissions to authorized users. Security researchers noted similarities between the spam tactics and past activity linked to the threat group Scattered Lapsus$ Hunters, though Zendesk denied any direct connection.
The scale of the campaign remains unclear, with no official response from Zendesk on the number of affected organizations or users. Social media and Reddit threads, however, indicate widespread disruption, with some companies reporting "mass spam attacks" on their ticketing systems. ElevenLabs confirmed it was working with Zendesk to resolve the issue, while other impacted firms have yet to publicly address the matter.
The incident highlights the risks of misconfigured help desk systems and the challenges of defending against relay-based spam attacks. As investigations continue, the full extent of the campaign and whether it represents a coordinated effort or opportunistic exploitation remains under scrutiny.
Source: https://www.darkreading.com/threat-intelligence/mass-spam-attacks-zendesk-instances
Tinder cybersecurity rating report: https://www.rankiteo.com/company/tinder-incorporated
Capcom cybersecurity rating report: https://www.rankiteo.com/company/capcom
ElevenLabs cybersecurity rating report: https://www.rankiteo.com/company/elevenlabsio
Zendesk cybersecurity rating report: https://www.rankiteo.com/company/zendesk
"id": "TINCAPELEZEN1768948874",
"linkid": "tinder-incorporated, capcom, elevenlabsio, zendesk",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Entertainment',
'name': 'Live Nation',
'type': 'Company'},
{'industry': 'Gaming',
'name': 'Capcom',
'type': 'Company'},
{'industry': 'Dating/App',
'name': 'Tinder',
'type': 'Company'},
{'industry': 'AI Research',
'name': 'ElevenLabs',
'type': 'Company'},
{'industry': 'Customer Service Software',
'name': 'Zendesk',
'type': 'Company'}],
'attack_vector': ['Abuse of help desk systems',
'Email infrastructure misconfiguration'],
'customer_advisories': 'Advised users to ignore or delete suspicious emails',
'description': 'A surge of spam emails originating from legitimate Zendesk '
'domains has raised concerns among cybersecurity experts and '
'affected organizations. Multiple users reported receiving '
'unsolicited messages often disguised as legal notices, bogus '
'lawsuits, or government alerts from Zendesk instances tied to '
'major companies, including Live Nation, Capcom, Tinder, and '
'AI research firm ElevenLabs. The attacks appear to stem from '
'two potential vectors: attackers abusing help desk systems to '
'relay spam by impersonating users, or misconfigurations in '
'Zendesk’s email infrastructure. The goal is to harvest '
'credentials, gain initial access, or extort payments.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected companies',
'identity_theft_risk': 'High (due to credential harvesting)',
'operational_impact': 'Widespread disruption to ticketing systems',
'systems_affected': ['Zendesk help desk systems']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the risks of misconfigured help '
'desk systems and the challenges of defending against '
'relay-based spam attacks.',
'motivation': ['Credential harvesting', 'Initial access', 'Extortion'],
'post_incident_analysis': {'root_causes': ['Abuse of help desk systems',
'Email infrastructure '
'misconfiguration']},
'recommendations': ['Adjust first-reply triggers in Zendesk',
'Restrict ticket submissions to authorized users'],
'references': [{'source': 'Zendesk Statement'},
{'source': 'Social Media/Reddit Threads'}],
'response': {'communication_strategy': ['Advised users to ignore or delete '
'suspicious emails'],
'containment_measures': ['Adjust first-reply triggers',
'Restrict ticket submissions to '
'authorized users']},
'threat_actor': 'Scattered Lapsus$ Hunters (suspected)',
'title': 'Zendesk Instances Exploited in Widespread Spam Campaign',
'type': 'Spam Campaign'}