"These domains, such as znedesk[.]com or vpn-zendesk[.]com, are clearly designed to mimic legitimate Zendesk environments. Some host phishing pages, like fake single sign-on (SSO) portals that appear before Zendesk authentication,"
"It's a classic tactic probably aimed at stealing credentials from unsuspecting users. We also identified Zendesk-related impersonating domains that contained multiple different organizations' names or brands within the URL, making it even more likely that unsuspecting users would trust and click on these links."
"These elements are reminiscent of the recent Scattered Lapsus$ Hunters campaign that targeted customer relationship management platform Salesforce in August 2025,"
"The domains we uncovered while investigating the August campaign shared similarities with the Zendesk domains: formatting, registry characteristics, and the use of deceptive SSO portals."
Scattered Lapsus$ Hunters is running a phishing campaign targeting Zendesk users that includes more than 40 typosquatted domains and impersonating URLs created over the last six months. The impersonating domains mimic organizations' Zendesk environments and host fake single sign-on portals to capture credentials. Many registrations share NiceNic, US and UK registrant contacts, and Cloudflare-masked nameservers, mirroring a prior August 2025 Salesforce campaign. Fraudulent tickets are being submitted to legitimate Zendesk portals with pretexts such as urgent system administration requests and fake password resets, aiming to infect support personnel with remote access trojans and other malware.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]