Email Bombs Exploit Lax Authentication in Zendesk – Krebs on Security

Cybercriminals are exploiting Zendesk’s lack of authentication to flood inboxes with messages from various Zendesk customers. The abuse involves sending ticket creation notifications from customer accounts configured to allow anonymous submissions, enabling the use of any subject line and sender’s email address. Zendesk is investigating additional preventive measures and advising customers to configure authenticated ticket creation workflows.