Azerbaijan's National Cybersecurity Agency has exposed a sophisticated phishing campaign leveraging Freshdesk to target organisations across transport, oil and gas, international trade, and business development sectors. The attackers exploited previously compromised email accounts to establish credibility, distributing messages with generic subject lines like "Shared a File" and "New secure message from" that directed recipients to fraudulent document-sharing portals. The technical sophistication of the operation lay in its deployment of Adversary-in-the-Middle (AiTM) techniques, which intercepted credentials and multi-factor authentication codes in real time before capturing session cookies—effectively rendering two-factor authentication useless and granting attackers persistent account access.
For CX teams, this campaign presents a critical vulnerability that extends beyond typical email security concerns. Freshdesk's position as a trusted customer engagement platform means that phishing emails spoofing its notifications carry inherent credibility; users are conditioned to expect file-sharing and secure message alerts from their support infrastructure. The question becomes whether CX organisations relying on Freshdesk—or similar platforms like Zendesk and HubSpot—have implemented sufficient email authentication protocols (SPF, DKIM, DMARC) to prevent domain spoofing, or whether they're leaving their customers exposed to credential harvesting at scale. The AiTM technique's effectiveness against MFA suggests that session-based security controls alone are insufficient; teams must audit whether their platforms enforce additional verification layers or restrict simultaneous logins from unusual geographies.
The broader implication is that CX platforms have become attractive attack vectors precisely because they handle sensitive customer interactions and authentication workflows. Support teams should treat Freshdesk notifications with the same scepticism as external emails, implement mandatory verification protocols for credential requests, and ensure their organisations' email infrastructure cannot be spoofed. For administrators, this incident underscores the need to review access logs for unusual session activity and to educate agents that legitimate platform notifications will never request passwords or MFA codes—a principle that should be embedded into onboarding and reinforced regularly.
Azerbaijan's cybersecurity authority warns of large-scale Freshdesk phishing operation Report.az