Scattered Lapsus$ Hunters Attack Zendesk Users with 40+ Fake SSO Phishing Portals
ReliaQuest specialists have uncovered more than forty fraudulent domains masquerading as Zendesk portals, attributing them to the cyber-criminal group known as Scattered Lapsus$ Hunters. These domains host phishing pages with counterfeit SSO forms and appear to form part of a new, large-scale campaign targeting users of the widely adopted customer-support platform.
According to ReliaQuest, over the past six months the attackers have registered dozens of typosquatting domains differing from the legitimate Zendesk address by only one or two characters — for example, znedesk[.]com or vpn-zendesk[.]com. Some URLs combine the Zendesk name with the names of various companies, making the links appear visually familiar and increasing the likelihood that a support agent or customer will click without noticing the deception. Several of these sites host fake single-sign-on pages presented immediately before Zendesk’s real login screen, silently harvesting usernames and passwords.
ReliaQuest notes that the identified domains share distinctive technical traits: registration through NiceNic, contact information tied to the United States and the United Kingdom, and nameservers hidden behind Cloudflare. This “fingerprint” closely resembles the infrastructure observed in an August campaign targeting Salesforce — also attributed to Scattered Lapsus$ Hunters — which relied on similar spoofed SSO pages and subtle domain manipulation.
The danger extends far beyond credential theft through fraudulent web pages. Researchers point out that forged support tickets are likely being mass-submitted through legitimate Zendesk portals across multiple organizations. These messages impersonate urgent administrative requests, payment issues, or password-reset queries, but contain malicious links or attachments — including remote-access trojans (RATs). Should a support agent open such a file or follow such a link, the attackers gain an immediate foothold in the corporate network, enabling reconnaissance, lateral movement, and ultimately a broader compromise of internal systems.
This latest activity fits a now-familiar pattern. In September 2025, Discord reported a compromise of its Zendesk-powered support system, resulting in the leakage of names, email addresses, payment data, IP addresses, and even identity documents. ReliaQuest now suggests that the Discord incident may have been part of a larger strategic focus on attacks routed through Zendesk’s infrastructure. The group itself has hinted at this ambition on Telegram, boasting that they were “preparing 3–4 campaigns simultaneously” and advising incident responders “not to leave on-call duty until January 2026, because #ShinyHuntazz is coming for your customer bases.”
In recent months Scattered Lapsus$ Hunters have shown persistent interest in major SaaS platforms. Beyond Salesforce, they are linked to attacks against Salesloft, Drift, and the customer-success platform Gainsight in late 2025. This strategy perfectly aligns with the playbook for supply-chain attacks: compromising a single cloud service can provide access to the data of dozens or even hundreds of its corporate clients. Analysts caution that, alongside the group’s headline-grabbing successes, imitators or splinter factions may have emerged, borrowing the same techniques and infrastructure.
A particularly acute risk stems from the fact that support platforms — such as Zendesk — are often treated as auxiliary tools and subjected to weaker controls than email gateways or VPN systems. Yet they routinely handle sensitive customer data and integrate deeply with CRM systems, billing platforms, and internal corporate environments. The combination of external phishing domains and internal malicious tickets effectively turns these platforms into full-fledged attack vectors: threats enter both from the outside and through the very channels organizations use to interact with their customers.
ReliaQuest urges companies to treat Zendesk and similar systems as critical infrastructure and reinforce the security of administrator and operator accounts. Chief among the recommendations are strict multifactor authentication with hardware security keys, IP allowlisting for access to the support console, and stringent auto-logout policies, especially during sensitive operations. These measures raise the cost of attack and hinder lateral movement even if credentials are partially compromised.
A second line of defense involves tightening domain-related monitoring. ReliaQuest recommends deploying systems that detect registrations of domains resembling corporate or Zendesk addresses and automatically filter DNS queries to suspicious zones. Digital Risk Protection (DRP) technologies can deliver rapid alerts about new typosquatting domains, block them at the network level, and warn employees before a phishing campaign gains momentum. Early detection of characteristic registration patterns can give organizations several critically important hours — or even days — of advance warning.
A third priority is strengthening control over communications within Zendesk itself. Organizations should restrict the pool of employees who can receive direct inbound messages, and implement content filters capable of spotting phishing links, unusual credential requests, and other hallmarks of social engineering. This reduces the likelihood that another “urgent administrative ticket” will slip through unnoticed and infect a support operator’s workstation.
Finally, ReliaQuest recommends automated response workflows: immediate termination of all active sessions and forced password resets following suspicious activity; enhanced scanning of hosts that may have received malicious attachments; and swift disabling of compromised accounts to prevent lateral movement. The company notes that pairing such detection rules with response playbooks can reduce the average containment time to mere minutes, significantly mitigating the impact of both social and technical attacks on support teams.
Against this backdrop, experts anticipate that Scattered Lapsus$ Hunters — and any emerging successors — will continue targeting Zendesk and other support platforms throughout 2026. For organizations dependent on these systems, now is the time to re-examine access controls, domain-monitoring practices, and ticket-handling procedures — especially during the holiday season, a period attackers traditionally exploit when security teams are stretched thin.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
