Not exactly, but maybe I misunderstood the issue. I’ve tested Zammad’s behaviour and came to the conclusion, that the 3rd party must have done the following:
• They clicked on ‘reply’ or ‘reply all’ on an e-mail they have been CC’ed from Zammad
• They deleted the original ‘to:’ (i.e. the former ‘from:’, customer/ticket owner)
• They put in the address from Zammad into the ‘to:’-field and left all other fields (CC/BCC) blank
Zammad would then add that e-mail to the existing ticket because of the (invisible) header—and thus, the ticket owner could see the answer.
I don’t think there could be a way to implement a ‘solution’ to this, and I understand if you think (as I do, know) almost no one would work with e-mail this way—but obviously, someone did.
So I’ll leave this here for discussion and consideration. 