Email Bombing

Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.^[1]^[2]

An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.^[2]^[3]

By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.^[3] This behavior can also be used as a tool of harassment.^[2]

This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft^[1], or engage in other malicious activity.^[4]

ID: T1667

Sub-techniques: No sub-techniques

ⓘ

Tactic: Impact

ⓘ

Platforms: Linux, Office Suite, Windows, macOS

ⓘ

Impact Type: Availability

Contributors: Ryan Perez

Version: 1.0

Created: 31 January 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
G1046	Storm-1811	Storm-1811 has deployed large volumes of non-malicious email spam to victims in order to prompt follow-on interactions with the threat actor posing as IT support or helpdesk to resolve the problem.^[4]^[5]

Mitigations

ID	Mitigation	Description
M1054	Software Configuration	Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.^[6]^[7] Note that additional filtering may be necessary if emails are coming from legitimate sources.
M1017	User Training	Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful social engineering via e-mail bombing.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor e-mail logs for an abnormally high volume of messages or message content sent to specific victim e-mail addresses or servers. Analytic 1 - Spike in Email Volume `index=email_logs sourcetype="mail:log"\| timechart span=5m count by recipient_email\| eventstats avg(count) as avg_count stdev(count) as std_dev by recipient_email\| eval spike=if(count > avg_count + (3*std_dev), 1, 0)\| search spike=1\| table _time, recipient_email, count, avg_count, std_dev`
DS0022	File	File Creation	Monitor for - Attachment creation events with excessive or repetitive file creation- Unusual file size from email messages (e.g., base64-encoded attachments dumped locally)- Burst of .eml, .msg, .tmp file extensions in mail client folders Analytic 1 - Email file creations `EventCode=11 (file_name=".eml" OR file_name=".msg" OR file_name="*.tmp")\| stats count avg(file_size) max(file_size) by user, file_path, process_name, _time\| where count > 100 OR max(file_size) > 1000000\| table _time, user, process_name, file_path, file_name, count, max(file_size)`
DS0029	Network Traffic	Network Traffic Flow	Monitor network data for uncommon data flows. Abnormal spikes in incoming traffic volume to specific victim e-mail addresses or servers may indicate an email bombing attempt. Analytic 1 - Suspicious network traffic `sourcetype="zeek:conn" dest_port=25 OR dest_port=465 OR dest_port=587\| stats count avg(bytes_in) by src_ip, dest_ip, dest_port, _time\| eventstats avg(count) as avg_flows, stdev(count) as std_flows by dest_ip\| eval anomaly=if(count > avg_flows + (2*std_flows), 1, 0)\| search anomaly=1\| table _time, src_ip, dest_ip, dest_port, count, avg_flows`

DS0015

Application Log

Application Log Content

Monitor e-mail logs for an abnormally high volume of messages or message content sent to specific victim e-mail addresses or servers.

Analytic 1 - Spike in Email Volume index=email_logs sourcetype="mail:log"| timechart span=5m count by recipient_email| eventstats avg(count) as avg_count stdev(count) as std_dev by recipient_email| eval spike=if(count > avg_count + (3*std_dev), 1, 0)| search spike=1| table _time, recipient_email, count, avg_count, std_dev

DS0022

File

File Creation

Monitor for - Attachment creation events with excessive or repetitive file creation- Unusual file size from email messages (e.g., base64-encoded attachments dumped locally)- Burst of .eml, .msg, .tmp file extensions in mail client folders

Analytic 1 - Email file creations

EventCode=11 (file_name=".eml" OR file_name=".msg" OR file_name="*.tmp")| stats count avg(file_size) max(file_size) by user, file_path, process_name, _time| where count > 100 OR max(file_size) > 1000000| table _time, user, process_name, file_path, file_name, count, max(file_size)

DS0029

Network Traffic

Network Traffic Flow

Monitor network data for uncommon data flows. Abnormal spikes in incoming traffic volume to specific victim e-mail addresses or servers may indicate an email bombing attempt.

Analytic 1 - Suspicious network traffic

sourcetype="zeek:conn" dest_port=25 OR dest_port=465 OR dest_port=587| stats count avg(bytes_in) by src_ip, dest_ip, dest_port, _time| eventstats avg(count) as avg_flows, stdev(count) as std_flows by dest_ip| eval anomaly=if(count > avg_flows + (2*std_flows), 1, 0)| search anomaly=1| table _time, src_ip, dest_ip, dest_port, count, avg_flows

Email Bombing

Procedure Examples

Mitigations

Detection

References