We have seen a sharp increase in Phishing tickets into our Zendesk over the last few weeks.

The latest scenario is where they set the reply to address using a legitimate system user.

The from address will be a hijacked domain.

Example:

From: contact@somebuiness.com
Reply to: zendeskadmin@yourbuiness.com
Subject: Please change your Password
Body: Text and link to capture your password

Zendesk will create the ticket and set the requester as zendeskadmin@yourbuiness.com which could be a real agent/admin in the system.

The only warning the ticket will show is at the very bottom of the chain, which is tiny, not in colour, no bold, no warning images, nothing else in the ticket. If the chain is long this could easily be pushed down out of view of the agent.

We already have Authenticate emails received with SPF, DKIM, and DMARC alignment enabled.

I was even able to test this using my gmail email address, setting an agents email as the reply to and the ticket came in under the agent.

Zendesk need to take this seriously and look at improving the warnings or have options for admins to suspend where the from and reply to are different for review.