People worldwide are being targeted by a massive spam wave originating from unsecured Zendesk support systems, with victims reporting receiving hundreds of emails with strange and sometimes alarming subject lines.

The wave of spam messages started on January 18th, with people reporting on social media that they received hundreds of emails.

While the messages do not appear to contain malicious links or obvious phishing attempts, the sheer volume and chaotic nature of the emails have made them highly confusing and potentially alarming for recipients.

The emails are being generated by support platforms run by companies that use Zendesk for customer service.

Attackers are abusing Zendesk's ability to allow unverified users to submit support tickets, which then automatically generate confirmation emails sent to the email address the attacker entered.

Because Zendesk sends automated replies confirming that a ticket was received, the attackers are able to turn these systems into a mass-spamming platform by interating through large lists of email addresses when creating fake support tickets.

Companies whose Zendesk instances were seen impacted include: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime.

The emails have bizarre subjects, with some pretending to be law-enforcement requests or corporate takedowns, while others offer free Discord Nitro or say "Help Me!" Many are also written in Unicode fonts to bold or decorate the fonts in multiple languages.

Examples include:

• FREE DISCORD NITRO!!
• TAKE DOWN ORDER NOW FROM CD Projekt
• LEGAL NOTICE FROM ISRAEL FOR koei Tecmo
• TAKE DOWN NOW ORDER FROM Israel FOR Square Enix
• DONATION FOR State Of Tennessee CONFIRMED
• LEGAL NOTICE FROM State Of Louisiana FOR Electronic
• 鶊坝鱎煅貃姄捪娂隌籝鎅熆媶鶯暘咭珩愷譌argentine恖
• Re: TAKE DOWN NOW ORDER FROM CHINA FOR Konami Digital Entertainme
• IMPORTANT LAW ENFORCEMENT NOTIFICATION FROM DISCORD FROM Peru
• Thank you for your purchase! 
• Help Me!
• Empty titles

Because the emails come from legitimate companies' Zendesk support systems, they are bypassing spam filters, making them more intrusive and alarming than ordinary spam mail. However, as the emails don't contain phishing links, they appear to be designed to troll recipients rather than to engage in malicious behavior.

Multiple companies have confirmed they were affected by the spam wave, including DropBox and 2K, who responded to tickets to tell recipients not be concerned and to ignore the emails.

"You may have recently received an automated response or notification regarding a support ticket that you did not submit. We want to clarify why this might have happened and assure you there is no cause for concern," wrote 2K.

"To remove barriers and enhance your experience, our system allows anyone to submit a support ticket, provide feedback, and report bugs without having to sign up for a dedicated support account and verify their email address. This open policy means that anyone can potentially submit a ticket using any email address."

"Please rest assured that we do not act on any account or process sensitive requests without authenticated, direct instruction from the account holder."

Zendesk told BleepingComputer that have introduced new safety features on their end to detect and stop this type of spam in the future.

"We've introduced new safety features to address relay spam, including enhanced monitoring and limits designed to detect unusual activity and stop it more quickly,"

"We want to assure everyone that we are actively taking steps - and continuously improving - to protect our platform and users."

Zendesk previously warned customers about this type of abuse in a December advisory, explaining that attackers were using Zendesk to send mass spam emails through what it called "relay spam."

The company says that organizations can prevent this type of abuse by restricting ticket creation to only verified users and removing placeholders that allow any email addresses or ticket subject to be used.