T1667 Email Bombing
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.21
An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.14
By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.4 This behavior can also be used as a tool of harassment.1
This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft2, or engage in other malicious activity.3
| Item | Value |
|---|---|
| ID | T1667 |
| Sub-techniques | |
| Tactics | TA0040 |
| Platforms | Linux, Office Suite, Windows, macOS |
| Version | 1.0 |
| Created | 31 January 2025 |
| Last Modified | 15 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1046 | Storm-1811 | Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.37 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1054 | Software Configuration | Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.65 Note that additional filtering may be necessary if emails are coming from legitimate sources. |
| M1017 | User Training | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful social engineering via e-mail bombing. |
References
-
Brian Krebs. (2016, August 18). Massive Email Bombs Target .Gov Addresses. Retrieved January 31, 2025. ↩↩↩
-
Mark Parsons, Colin Cowie, Daniel Souter, Hunter Neal, Anthony Bradshaw, Sean Gallagher. (2025, January 21). Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”. Retrieved January 31, 2025. ↩↩
-
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025. ↩↩
-
U.S. Department of Health and Human Services. (2024, March 12). Defense and Mitigations from E-mail Bombing. Retrieved January 31, 2025. ↩↩
-
Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. ↩
-
Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. ↩
-
Red Canary Intelligence. (2024, December 2). Storm-1811 exploits RMM tools to drop Black Basta ransomware. Retrieved March 14, 2025. ↩