Detect Email Bombing in Google Chronicle
This detection identifies email bombing attacks where adversaries flood targeted mailboxes with high volumes of inbound messages to disrupt operations, bury legitimate security alerts, or distract victims from concurrent malicious activity. The detection monitors for abnormal spikes in inbound email volume to specific recipients within short time windows, particularly identifying patterns consistent with automated list-subscription bombing (many unique senders, low-value content, rapid delivery) versus legitimate bulk mail. Email bombing is frequently observed as a precursor to vishing attacks where threat actors (notably Storm-1811) follow up with fraudulent IT support calls, making timely detection critical for preventing downstream credential theft or ransomware deployment.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1667 Email Bombing
- Canonical reference
- https://attack.mitre.org/techniques/T1667/
YARA-L Detection Query
rule detection_t1667 {
meta:
author = "Argus Detection Platform"
description = "Detects Email Bombing email activity - T1667"
severity = "HIGH"
mitre_attack = "T1667"
reference = "https://attack.mitre.org/techniques/T1667/"
events:
$e.metadata.event_type = "EMAIL_TRANSACTION"
$e.principal.user.email_addresses = $sender
$e.network.email.to = $recipient
$e.network.email.subject = $subject
(
re.regex($e.network.email.subject, `(?i)(urgent|wire.?transfer|payment|invoice|final.?notice)`) or
$e.security_result.action = "BLOCK"
)
condition:
$e
}Google Chronicle YARA-L 2.0 rule for detecting Email Bombing (T1667). Uses Chronicle UDM event model to identify email bombing behaviors across endpoint and cloud telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
- IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
- Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)
Other platforms for T1667
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Email Bombing via PowerShell SMTP Flood to Test Mailbox
Expected signal: EmailEvents table in Microsoft Defender for Office 365 will show 150 inbound messages to [email protected] within a 10-minute window. OfficeActivity logs will reflect delivery events.
- Test 2List Subscription Bombing Simulation via Curl (Linux)
Expected signal: Network proxy logs will show repeated POST requests to external web endpoints from the test host. Email gateway logs will reflect inbound confirmation messages from diverse sender domains if real newsletter endpoints are used.
- Test 3Validate Vishing Precursor Pattern — Email Bomb + RAT Execution Sequence
Expected signal: Sysmon Event ID 1 will capture anydesk.exe process creation with parent process, command line, and user context. DeviceProcessEvents in Microsoft Defender will record the process. Combined with synthetic email bombing telemetry, the hunting query should correlate the two events.
References (6)
- https://attack.mitre.org/techniques/T1667/
- https://news.sophos.com/en-us/2024/11/19/our-mdr-team-discovers-a-novel-attack-that-uses-teams-and-anydesk-in-combo-with-email-bombing/
- https://krebsonsecurity.com/2016/06/sign-up-for-email-lists-its-a-bomb/
- https://www.hhs.gov/sites/default/files/email-bombing-sector-note-tlpclear.pdf
- https://www.rapid7.com/blog/post/2024/09/17/storm-1811-abuses-quick-assist-in-ransomware-attack/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
Unlock Pro Content
Get the full detection package for T1667 including response playbook, investigation guide, and atomic red team tests.