Reliaquest researchers report that actors affiliated with the Scattered Lapsus$ Hunters are preparing or launching a threat campaign against Zendesk environments, using typoquatted domains and fraudulent support tickets to harvest high-privilege credentials, mapped to MITRE ATT&CK techniques T1566 (Phishing), T1078 (Valid Accounts), and T1204 (User Execution). Over the past six months, more than 40 impersonating domains mimicking Zendesk instances have appeared, some hosting fake single sign-on portals designed to trick users into entering corporate login details. The primary targets are system administrators and helpdesk personnel at organizations that rely on Zendesk for customer service, due to their elevated access. Beyond lookalike portals, the campaign also abuses legitimate Zendesk workflows by submitting fraudulent tickets to real customer support portals operated by victim organizations. These tickets are crafted to entice helpdesk staff into opening malicious attachments or links, leading to infection with remote access Trojans (RATs) and other malware. Domain registration patterns show Cloudflare-protected name servers and registrant data in the US and UK, with registration via NiceNik, echoing infrastructure used in an earlier August campaign targeting Salesforce environments that was also linked to Scattered Lapsus$ Hunters. The business impact for Zendesk-dependent organizations includes potential compromise of admin accounts, unauthorized access to customer data, and pivoting into connected CRM, billing, or identity systems. Successful credential harvesting and RAT deployment can enable wide-reaching data theft, ticket manipulation, and abuse of communication channels for phishing and social engineering, potentially leading to regulatory concerns if customer data is exposed. Defenders should tighten identity controls around Zendesk and other customer service platforms by enforcing MFA for admins and helpdesk accounts, implementing SSO with phishing-resistant factors, and monitoring for logins from unusual domains or IP addresses. Security teams should block newly observed Zendesk-like domains, educate support staff about fraudulent tickets, and integrate Reliaquest’s indicators into email, DNS, and web filtering systems to detect and stop the campaign before credentials or endpoints are compromised.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: Targeting Zendesk administrators and support personnel with phishing and RAT-laced tickets threatens both the confidentiality of customer data and the integrity of support workflows. Compromised accounts can be used to access sensitive customer records, alter tickets, and launch further phishing from trusted channels, potentially causing reputational damage and regulatory exposure for affected organizations. Technical Context: The campaign combines T1566 phishing via typoquatted Zendesk domains and fraudulent tickets with T1204 user execution and T1078 valid account abuse once credentials are harvested. Overlapping infrastructure and tactics with previous Scattered Lapsus$ Hunters activity against Salesforce environments highlight a broader pattern of attacking SaaS customer service and CRM platforms where highly privileged users handle large volumes of untrusted inbound content.
⚡Strategic Intelligence Guidance
- Enforce multi-factor authentication and SSO with phishing-resistant methods for all Zendesk administrator and support accounts, and monitor for suspicious login locations or devices.
- Block or closely monitor access to recently registered Zendesk-like domains, and configure email and web filters to flag links to typoquatting domains in tickets or messages.
- Train helpdesk and support staff to recognize malicious tickets, especially those urging urgent action, containing unexpected attachments, or linking to external login pages.
- Review Zendesk app integrations and API tokens, revoking unused access and ensuring least-privilege scopes so that compromise of a single account or integration has limited blast radius.
Threats
Scattered Lapsus$ Hunterscredential harvesting campaign
Targets
Zendesk administratorshelpdesk personnelSaaS customer service environments