Scattered Lapsus Hunters - Typosquatted Domains Target Zendesk Users
CORTEX Protocol Intelligence Assessment
Business Impact: The Scattered Lapsus Hunters campaign against Zendesk users threatens to expose sensitive customer data, internal troubleshooting notes, and API credentials associated with support workflows, potentially enabling broader compromise of CRM, billing, and integration platforms. Organizations that rely heavily on SaaS support ecosystems may face costly incident response, customer churn, and regulatory attention if attackers abuse support access to pivot or exfiltrate data at scale. Technical Context: The group employs T1566 via typosquatted domains hosting convincing fake SSO portals and T1556 style abuse of authentication flows to capture credentials and tokens. Given previous operations against Salesforce and OAuth integrations, defenders should assume that attackers will attempt to reuse any captured access across interconnected SaaS platforms and must implement strong identity and access management controls around support tooling.
Strategic Intelligence Guidance
- Implement domain monitoring and email security controls to detect and block access to typosquatted domains impersonating your Zendesk or other support portals, and share indicators with security teams.
- Enforce SSO for Zendesk with phishing resistant multi-factor authentication where possible, and consider conditional access policies that limit logins to approved IP ranges, devices, or geographies.
- Integrate Zendesk logs into your SIEM or XDR platform and build detections for anomalous sign in locations, unfamiliar devices, new API tokens, and bulk ticket or data exports.
- Deliver targeted security awareness training to support and operations teams on recognizing fake login pages, unexpected MFA prompts, and suspicious messages that request credentials or session tokens.