This is trivial to mitigate with per-account rate limiting.
On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.
I'm not sure how relevant that threat model is (OS level security would probably be enabled for people susceptible to be targeted in such a way. Support could advise to do it before toggling the flag, etc.), but anyway the hypothetical flag would only be about making sure the automation doesn't happen and the ticket goes to support. Support can then manually handle the rare edge case and place more burden on the person attempting to deactivate the account.
If we're talking about deactivating someone's account via email, we are already talking about a targeted attack.