Email Bombing Defused: An Explanation of the Attack and How to Protect Against It

Imagine waking up to thousands of emails flooding your inbox, subscriptions you never signed up for, random notifications, and junk mail piling up faster than you can delete them. This is a calculated, disruptive attack, called mail bombing, designed to drown out the emails that truly matter to you and your business. In November 2024, we observed mail bombing attacks as part of the Black Basta ransomware operations, where attackers combine email flooding with Microsoft Teams-based social engineering, leading the target to accept fake IT requests and grant access via remote monitoring and management (RMM) tools. 

This article explores how email bombing works, why it’s more than just a nuisance, and how you can defend your inbox against this sneaky tactic. 

What is Mail Bombing, and Why Does It Matter?

Mail bombing, also known as email flooding or email bombarding, is a type of Denial of Service (DoS) attack that overwhelms an email address or server by flooding it with hundreds to thousands of messages. A single actor or group can carry out this attack using a botnet. The end game for the attacker is to make the victim’s email inbox virtually unusable, concealing genuine emails, like account login and password resets, sensitive information about a financial transaction, or confirmations of online orders, under a deluge of spam or junk mail.  

This type of attack vector that threat actors exploits is using vulnerabilities like the lack of rate limits on email servers or web applications to target a subscription function that sends confirmation emails without robust server-side rate limits or client-side captchas. If the system only checks whether an email is already subscribed to before sending a “subscription successful” message, attackers can automate the process to flood the victim’s inbox with thousands of emails, causing significant disruption. Email newsletter subscription services that don’t use a verification email to ensure that you really wanted to sign up for it, is another variant of these attacks, although that one verification email is often part of the attack as well. 

The Motive and type of attacks 

Primarily, this tactic is used as a decoy, to mask an already compromised email to conduct even more malicious activities to further their agenda. The goal of the subscription-based attack  causing a Denial of Service is used to hide the trails of either lateral movement of the threat actor for easy access or moving to the corporate infrastructure more easily, hence limiting the chances of detection by the security team. Here briefly I will explain how these attacks unfold and the methods that are being used: 

• The subscription-based attack is often used as a distraction to bury important emails like legitimate transaction emails in heaps of subscription confirmation emails. Thus, the victim could lose out on some important information and emails, if they try to perform mass deletion to get rid of this specific bombing attack, completely unaware. For example, if an attacker got hold of a victim’s Payoneer account and committed a fraudulent transaction, the victim will usually get a confirmation email from Payoneer with detailed transaction information. The victim, in this case, can easily raise an alert with the Payoneer support team and decline the transaction, however, if the attacker masks this transaction with a subscription bombing attack at the same time, the victim’s email address will be flooded with a large number (normally hundreds of or even thousands) of unsolicited emails and the fraudulent transaction email will get buried in the unorganized pile, which most likely will go on for several hours or days. This mess that the attackers create, obstructs the investigation (if detected by the end-user or the security team) which by this time could be too late, and the threat actor would have completed their end goal, either moving laterally or gaining even more sensitive information, using the deluge of emails as a smoke screen. 
• Denial of Service (DoS) attack has the same end-game but uses a slightly different approach. As I mentioned earlier, attacks like this could be exploited if the email server doesn’t have Rate-limiting rules, potentially opening an attack vector for denial of service, flooding the server with thousands of emails in a short amount of time, rendering it useless, which will prevent critical emails from being received into your organization that will have a huge impact on the business continuity and service operations.  

In addition to the above, a DoS attack on the email server could be an attack carried out to mask another cyberattack that is taking place, such as:

• Exfiltration of data, while the security team focus is working on mitigating the email overload, threat actors could be exploiting vulnerabilities elsewhere, exfiltrating data, deploying ransomware, or compromising the infrastructure further. 
• Probing the security posture of the organization, by overloading the server could potentially reveal and miss (or no) configurations so that later they can craft an even better attack. 
• Extortion is a common use case for DoS on the email server, as many businesses could lose potential clients and damage their reputation if their email service does not work as intended for a longer period, where attackers demand ransom for the service availability.
• Another common tactic is using the flooded inbox as a lure for “IT Support” to help out. As the end user is staring at their inbox in disbelief a helpful IT person (the attackers, springing the second part of their attack) pops up on Teams, via a phone call or some other channel and explains that they’ve noticed the problem, and if the user could just install this handy remote access tool, they’ll fix the problem for you. We’ve seen this tactic used by the Black Basta ransomware gang, but others are sure to follow suit.  

How to Defend against Mail Bombing Attacks 

Defense in depth is the way to go here. No single strategy is effective when protecting your assets, meaning, leveraging multilayered detection techniques and powerful machine learning approaches is a robust way to prevent and assist in the fight against email attacks. One effective method involves categorizing emails into groups like spam and bulk mail, while adding filters to harmful emails such as malware, BEC (Business Email Compromise) and phishing. These filters ensure malicious emails get quarantined before they even reach the user’s inbox. These filters also work on the user level, as it helps them understand the danger, and when users understand the risks, they are less likely to fall victim to malicious attempts.  

Having a tracking solution with robust search capabilities and extensive control over email flow, with real-time threat detection, and email warning tags, increases user awareness, facilitating a much-needed human firewall for safer decision-making.  

Below, we will explore Hornetsecurity’s intelligent detection and protection system which, no doubt, will strengthen the identification of, and prevention of mail bombing attacks. 

Identification of Notification Patterns 

Hornetsecurity’s Spam and Malware Protection safeguards against widescale DOS and targeted mail bombing attacks. The system automatically detects various types of notification emails, such as newsletter subscriptions, account registrations, password resets and security alerts. Additionally, it monitors the frequency of these emails and activates protection when necessary. Once activated, the system automatically quarantines the emails that match the attack pattern. 

Monitoring Mail Bombing Attacks with Email Live Tracking 

If your system suddenly becomes sluggish (email is slow or doesn’t appear to be sent or received), the reason may be that your mailer is trying to process a large number of messages. This attack can be stopped, by monitoring your email server with the Hornetsecurity Email Live Tracking module that provides users and administrators with comprehensive, real-time visibility into email traffic. Users can monitor their own incoming and outgoing emails, including those from alias addresses. This enables administrators to gain additional control, viewing traffic across entire domains or customers, by adjusting their scope in the Control Panel.  

Additionally, administrators can quickly filter or search for emails marked with “Mail Bombing” to review or take action.

Marking and Identification 

• Mail Type: The quarantined emails are categorized as Spam. 
• Reason: Each email is flagged with the specific reason Mail Bombing. 

This labeling approach assists in streamlining management, allowing legitimate communications to be quickly restored if the false-positive email gets quarantined. 

The module also integrates with archiving services, offering access to historical emails. With customizable views, advanced filtering, and export options, Email Live Tracking ensures efficient email management and flexibility to detect anomalous behavior. External auditors can access email traffic for compliance, enhancing oversight while maintaining data privacy for marked private emails. 

Mitigation Strategies Through Allow Lists 

Besides monitoring, an effective proactive defensive strategy is managing the email permissions through allow lists. The Deny & Allow Lists module purpose is to effectively manage email filtering, so each user can create personalized lists, while administrators can oversee both individual and domain-level lists. Deny lists flag specific emails as spam, redirecting them to quarantine, while allow lists ensure trusted emails bypass spam filters. At the domain level, admins can customize filter bypass rules. 

Key Features 

• Personal and Domain Control: Users manage individual lists while admins control domain wide settings. 
• Customizable Filters: Allow lists can bypass spam and other filters at the domain level. 
• Easy Management: Import/export email lists with comma-separated-value (CSVs) for bulk updates. 

The modules I presented above can greatly aid organizations in the prevention mechanism, as they enable effective management of spam filters and provide real-time, proactive monitoring. This approach acts as a powerful form of hardening against the expanding threat of Denial of Service (DoS) attacks, which are increasing at a Compound Annual Growth Rate (CAGR) of 14% annually. 

---

Secure Your Email Against Mail Bombing with Hornetsecurity   

Don’t let mail bombing attacks disrupt your business operations. With Hornetsecurity’s Spam and Malware Protection system, you can maintain email continuity and secure your inbox effectively.  

Request a demo today to find out how Hornetsecurity can enhance your organization’s email security. 

---

Conclusion 

With this information in mind, we might just stand a chance at the never-ending cycle of methods, techniques, and tactics the threat actors employ. As email is our key resource and means of communication between businesses and customers, it is often targeted, and exploited as humans are and will be the primary target for exploitation, which is sad but true. We can either close our eyes and hope for the best or be proactive and harden our infrastructure by employing preventative techniques and tools so we can defend ourselves from this type of email bombing attack!