T1667 Email Bombing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let VolumeThreshold = 100;
let TimeWindow = 30min;
let LookbackPeriod = 2h;
EmailEvents
| where Timestamp > ago(LookbackPeriod)
| where EmailDirection == "Inbound"
| where DeliveryAction != "Blocked"
| summarize
    EmailCount = count(),
    UniqueSenders = dcount(SenderFromAddress),
    UniqueDomains = dcount(SenderFromDomain),
    SenderDomainSamples = make_set(SenderFromDomain, 20),
    SubjectSamples = make_set(Subject, 10),
    FirstMessageTime = min(Timestamp),
    LastMessageTime = max(Timestamp)
    by RecipientEmailAddress, bin(Timestamp, TimeWindow)
| where EmailCount >= VolumeThreshold
| extend
    EmailsPerMinute = round(toreal(EmailCount) / 30.0, 2),
    SenderDiversityRatio = round(toreal(UniqueSenders) / toreal(EmailCount), 3),
    BurstDurationMinutes = datetime_diff('minute', LastMessageTime, FirstMessageTime)
| extend
    BombingIndicator = case(
        UniqueSenders >= 50 and EmailCount >= 200, "High Confidence - List Subscription Bombing",
        UniqueSenders >= 20 and EmailCount >= 100, "Medium Confidence - Automated Bombing",
        UniqueSenders < 5 and EmailCount >= 100, "Low Confidence - Single Source Flood",
        "Anomalous Volume"
    )
| project
    WindowStart = Timestamp,
    RecipientEmailAddress,
    EmailCount,
    UniqueSenders,
    UniqueDomains,
    EmailsPerMinute,
    SenderDiversityRatio,
    BurstDurationMinutes,
    BombingIndicator,
    SubjectSamples,
    SenderDomainSamples
| order by EmailCount desc

high severity medium confidence

Data Sources

Microsoft Defender for Office 365

Required Tables

EmailEvents

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)
Internal all-hands or organization-wide email distributions that generate large reply volumes
Conference or event registration confirmations and subsequent mailing list enrollments following legitimate user sign-ups

Splunk

spl

index=* (sourcetype="o365:management:activity" OR sourcetype="ms:o365:defender:emailevents" OR sourcetype="exchange:message_tracking")
| search (Operation="Receive" OR RecordType="ExchangeItem" OR event_type="EmailReceived" OR ClientInfoString="*MailboxDelivery*")
| eval recipient=coalesce('RecipientEmailAddress', 'MailboxOwnerUPN', 'recipient_address')
| eval sender=coalesce('SenderEmailAddress', 'SenderFromAddress', 'sender_address')
| eval sender_domain=replace(sender, "^[^@]+@", "")
| where isnotnull(recipient) AND recipient!=""
| bucket _time span=30m
| stats
    count as EmailCount,
    dc(sender) as UniqueSenders,
    dc(sender_domain) as UniqueDomains,
    values(sender_domain) as SenderDomains,
    values(Subject) as SubjectSamples,
    min(_time) as FirstSeen,
    max(_time) as LastSeen
    by _time, recipient
| where EmailCount >= 100
| eval EmailsPerMinute=round(EmailCount/30, 2)
| eval SenderDiversityRatio=round(UniqueSenders/EmailCount, 3)
| eval BurstDurationSeconds=(LastSeen - FirstSeen)
| eval BurstDurationMinutes=round(BurstDurationSeconds/60, 1)
| eval BombingType=case(
    UniqueSenders>=50 AND EmailCount>=200, "List Subscription Bombing",
    UniqueSenders>=20 AND EmailCount>=100, "Automated Bombing",
    UniqueSenders<5 AND EmailCount>=100, "Single Source Flood",
    1==1, "Anomalous Volume")
| eval Severity=case(
    EmailCount>=500, "Critical",
    EmailCount>=200, "High",
    EmailCount>=100, "Medium",
    1==1, "Low")
| sort - EmailCount
| table _time, recipient, EmailCount, UniqueSenders, UniqueDomains, EmailsPerMinute, SenderDiversityRatio, BurstDurationMinutes, BombingType, Severity, SubjectSamples, SenderDomains

high severity medium confidence

Data Sources

Microsoft Office 365 Exchange Message Tracking

Required Sourcetypes

o365:management:activity ms:o365:defender:emailevents

False Positives

Legitimate marketing automation platforms sending high-volume transactional email notifications to distribution lists
IT monitoring and alerting systems (PagerDuty, Nagios, Datadog) generating notification storms during infrastructure outages
User accounts that have legitimately opted into many newsletter subscriptions or event mailing lists producing elevated baseline volume
Help desk or shared mailboxes that routinely receive high volumes of inbound requests during business hours

Elastic Security (EQL)

eql

any where event.dataset : "o365.*" and event.action in (
  "Receive", "MessageDelivered", "New-InboxRule", "Set-InboxRule"
) and (
  o365.audit.Authentication_Details : ("spf=fail*", "dkim=fail*", "dmarc=fail*") or
  o365.audit.Operation : ("New-InboxRule", "UpdateInboxRules")
)

high severity medium confidence

Data Sources

Microsoft 365 Elastic O365 Integration

Required Tables

logs-o365.audit-* logs-email.*

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS SenderAddress,
    "RecipientAddress" AS RecipientAddress,
    "Subject" AS EmailSubject,
    CASE
        WHEN "SPFResult" = 'fail' AND "DKIMResult" = 'fail' THEN 90
        WHEN "DMARCResult" = 'fail' THEN 80
        WHEN "SPFResult" ILIKE '%fail%' THEN 65
        ELSE 50
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Exchange', 'Office 365')
    AND ("SPFResult" ILIKE '%fail%'
        OR "DKIMResult" ILIKE '%fail%'
        OR "DMARCResult" ILIKE '%fail%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)

Sumo Logic CSE

sql

_sourceCategory=o365/management
| json auto
| where operation in ("Receive","MessageDelivered","New-InboxRule","Set-InboxRule","UpdateInboxRules")
| where spf_result matches /(fail|softfail)/i OR dkim_result = "fail" OR dmarc_result = "fail"
    OR operation matches /InboxRule/i
| if(spf_result = "fail" AND dkim_result = "fail", 90,
    if(dmarc_result = "fail", 80,
    if(operation matches /InboxRule/i, 85, 65))) as risk_score
| if(operation matches /InboxRule/i, "MailboxRule",
    if(dmarc_result = "fail", "DMARCFail", "AuthFailure")) as detection_type
| where risk_score >= 65
| count by sender_address, recipient_address, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=o365/management OR _sourceCategory=microsoft/exchange

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)

Google Chronicle / SecOps

yaral

rule detection_t1667 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Email Bombing email activity - T1667"
    severity = "HIGH"
    mitre_attack = "T1667"
    reference = "https://attack.mitre.org/techniques/T1667/"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.principal.user.email_addresses = $sender
    $e.network.email.to = $recipient
    $e.network.email.subject = $subject
    (
      re.regex($e.network.email.subject, `(?i)(urgent|wire.?transfer|payment|invoice|final.?notice)`) or
      $e.security_result.action = "BLOCK"
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Microsoft 365 Google Workspace

Required Tables

EMAIL_TRANSACTION

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "EmailActivityEvent"
| EmailDirection = "Inbound"
| SPFResult = /(?i)(fail|softfail)/ OR DKIMResult = "fail" OR DMARCResult = "fail"
    OR Subject = /(?i)(urgent|wire.?transfer|payment|invoice|final.?notice)/
| case {
    SPFResult = "fail" AND DKIMResult = "fail" | RiskScore := "High" ;
    DMARCResult = "fail" | RiskScore := "High" ;
    Subject = /(?i)(wire.?transfer|payment)/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([SenderFromAddress, RecipientEmailAddress, Subject, SPFResult, DKIMResult, DMARCResult, RiskScore, DeliveryAction])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Email Protection

Required Tables

EmailActivityEvent

False Positives

Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)

Email Bombing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections