Listen to this Post

Introduction, Rising Shadows Over SaaS Security
A silent storm is forming across the SaaS landscape, and its epicenter appears to be the helpdesk itself. Organizations that rely on customer service platforms like Zendesk are suddenly discovering that their greatest vulnerability may sit where trust is assumed to be strongest, inside support workflows. A fresh campaign linked to the notorious Scattered Lapsus Hunters group has begun spreading through typosquatted domains, fake support tickets, and credential-harvesting login portals. With more than forty fraudulent Zendesk lookalikes recently uncovered, the attack surface is expanding faster than many organizations can react. The findings raise difficult questions about how cybercriminals are weaponizing support systems and whether recent breaches, including Discord’s customer service compromise, are early signs of a broader threat wave.
Summary of the Original
A Surge in Typosquatted Zendesk Domains
Over the past six months, ReliaQuest discovered more than forty typosquatted domains mimicking Zendesk. These domains often included organizational names embedded into the URL, such as organization-zendesk.com, allowing them to blend into legitimate corporate workflows. Many of these domains hosted phishing pages that mimicked Zendesk single sign-on portals, designed to silently capture employee credentials.
Phishing Infrastructure and Registrar Patterns
ReliaQuest noted that all fraudulent domains were registered through NiceNic, with US and UK registrant details and Cloudflare-masked nameservers. These technical fingerprints match characteristics from the Scattered Lapsus Hunters’ previous campaign that targeted Salesforce in August 2025. The same deceptive formatting, the same SSO-themed lures, and similar infrastructure patterns create a strong link between the two attacks.
Fraudulent Helpdesk Tickets as an Attack Vector
Beyond phishing websites, the group appears to be using fake support tickets submitted through Zendesk portals. These malicious tickets target support agents, luring them into opening embedded links or attachments that deploy remote access trojans and other malware. The pretexts are believable, often framed as urgent admin requests or password reset issues, designed to pressure helpdesk workers into acting quickly.
Suspected First Victim: Discord
The campaign may already have caused significant damage. Discord disclosed a breach involving a third-party customer service provider, where attackers compromised a Zendesk-based support system. The stolen data included email addresses, names, billing information, IP addresses, and even government-issued identification details. ReliaQuest suggests this breach aligns with the tactics observed in the current Zendesk impersonation campaign.
Broader Trend of Attacks on SaaS Platforms
The Zendesk-focused campaign follows similar attacks against Salesforce, Salesloft Drift, and Gainsight, all high-value SaaS platforms heavily integrated into enterprise operations. These platforms store extensive customer data and support downstream systems, making them prime targets for threat actors seeking high-impact breaches.
Possibility of Copycat Operations
While evidence points toward Scattered Lapsus Hunters, ReliaQuest acknowledges that another group could be mimicking their tactics. The recognizable domain formatting and infrastructure quirks could be intentionally replicated to mislead investigators or exploit the group’s already-established fear factor.
Security Recommendations for Organizations
ReliaQuest urges companies to implement stronger security policies for Zendesk users, specifically recommending hardware-based MFA, strict IP allowlisting, and session timeout controls. They also advise continuous domain monitoring and DNS filtering to block typosquatted domains before they can be weaponized.
Securing Support Channels
To limit exposure via Zendesk chat, organizations are encouraged to restrict which employees can receive direct messages and deploy content filters capable of detecting credential-harvesting attempts. Since support teams are now prime targets, their workflows must be protected with the same rigor as privileged admin accounts.
What Undercode Say: Analytical Breakdown of the Campaign
Why Helpdesk Systems Are Becoming Prime Targets
Helpdesk platforms sit at a unique intersection of trust, access, and human vulnerability. Support agents regularly handle sensitive information and are accustomed to solving urgent user issues, making them more likely to engage with suspicious requests if they appear time-sensitive. Attackers understand this psychology and exploit it by creating believable support-focused pretexts.
The Typosquatting Strategy and Its Growing Sophistication
Typosquatted SaaS domains are not new, but the level of detail observed in these Zendesk impersonations showcases an evolution in criminal craftsmanship. The domains not only mirror naming conventions but also adopt branding elements and authentication flows that match legitimate SSO portals. This raises the stakes significantly because even trained IT staff may fail to spot inconsistencies.
SSO Phishing Portals as a Gateway to Lateral Movement
Once attackers harvest credentials through these lookalike SSO portals, they gain access to internal support dashboards. These environments allow lateral movement into other business systems, exposing a trove of customer interactions, issue logs, and sometimes even sensitive backend controls. From there, privilege escalation becomes far easier.
Why the Patterns Point to Scattered Lapsus Hunters
The Lapsus-linked groups have a documented history of disruptive, high-profile breaches. Their approach historically centers around social engineering and credential theft rather than technical exploits. The Zendesk campaign fits this mold perfectly, especially with the recycled infrastructure patterns that ReliaQuest identified.
The Discord Breach as a Case Study
Discord’s breach highlights how dangerous support-system intrusions can be. The stolen government-issued identification data indicates attackers accessed document uploads used for identity verification. This marks a dangerous escalation, since such information is often leveraged for identity theft, account takeovers, and secondary fraud.
The Domino Effect in SaaS Security
Targeting the support layer of a SaaS platform creates a cascade of vulnerabilities. A compromised helpdesk account can access or request access to other business systems under the guise of support resolution. This creates a scenario where a single compromised ticket can trigger organization-wide chaos.
The Copycat Theory
While some infrastructure overlaps point toward Scattered Lapsus Hunters, cybercrime groups frequently imitate successful campaigns. A copycat group could easily replicate domain patterns to create investigative confusion. This possibility complicates attribution and suggests the broader criminal ecosystem is evolving around a shared playbook.
Mitigation Measures and the Role of Zero Trust
Hardware-based authentication keys remain one of the strongest defenses against credential-harvesting campaigns. Combined with IP restrictions and consistent session expiry policies, organizations can significantly reduce their exposure. The helpdesk must now be treated as a zero-trust environment, subject to continuous verification and behavioral monitoring.
Why SaaS Security Must Move Beyond Convenience
This campaign underscores a hard truth. Businesses have prioritized convenience and integration in SaaS platforms, often at the expense of robust security controls. As attackers increasingly exploit these weaknesses, organizations must rethink how support systems are protected, audited, and monitored for anomalies.
🔍 Fact Checker Results
ReliaQuest confirmed over forty typosquatted Zendesk domains. ✅
Discord’s breach was linked to a compromised customer service provider using Zendesk. ✅
Attribution to Scattered Lapsus Hunters remains probable but not definitively proven. ❌
📊 Prediction
Expect an escalation of helpdesk-focused phishing campaigns as attackers replicate the successful Zendesk strategy. 🔐
More SaaS platforms will become targets, especially those with decentralized support access. 📈
Organizations that fail to harden support workflows may face large-scale data breaches within the next 12 months. ⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




