T1667 IBM QRadar · QRadar

Detect Email Bombing in IBM QRadar

This detection identifies email bombing attacks where adversaries flood targeted mailboxes with high volumes of inbound messages to disrupt operations, bury legitimate security alerts, or distract victims from concurrent malicious activity. The detection monitors for abnormal spikes in inbound email volume to specific recipients within short time windows, particularly identifying patterns consistent with automated list-subscription bombing (many unique senders, low-value content, rapid delivery) versus legitimate bulk mail. Email bombing is frequently observed as a precursor to vishing attacks where threat actors (notably Storm-1811) follow up with fraudulent IT support calls, making timely detection critical for preventing downstream credential theft or ransomware deployment.

MITRE ATT&CK

Tactic
Impact
Technique
T1667 Email Bombing
Canonical reference
https://attack.mitre.org/techniques/T1667/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS SenderAddress,
    "RecipientAddress" AS RecipientAddress,
    "Subject" AS EmailSubject,
    CASE
        WHEN "SPFResult" = 'fail' AND "DKIMResult" = 'fail' THEN 90
        WHEN "DMARCResult" = 'fail' THEN 80
        WHEN "SPFResult" ILIKE '%fail%' THEN 65
        ELSE 50
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Exchange', 'Office 365')
    AND ("SPFResult" ILIKE '%fail%'
        OR "DKIMResult" ILIKE '%fail%'
        OR "DMARCResult" ILIKE '%fail%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Email Bombing (T1667). Queries QRadar event pipeline for indicators consistent with email bombing adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
  • IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
  • Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)
Download portable Sigma rule (.yml)

Other platforms for T1667

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Email Bombing via PowerShell SMTP Flood to Test Mailbox

    Expected signal: EmailEvents table in Microsoft Defender for Office 365 will show 150 inbound messages to [email protected] within a 10-minute window. OfficeActivity logs will reflect delivery events.

  2. Test 2List Subscription Bombing Simulation via Curl (Linux)

    Expected signal: Network proxy logs will show repeated POST requests to external web endpoints from the test host. Email gateway logs will reflect inbound confirmation messages from diverse sender domains if real newsletter endpoints are used.

  3. Test 3Validate Vishing Precursor Pattern — Email Bomb + RAT Execution Sequence

    Expected signal: Sysmon Event ID 1 will capture anydesk.exe process creation with parent process, command line, and user context. DeviceProcessEvents in Microsoft Defender will record the process. Combined with synthetic email bombing telemetry, the hunting query should correlate the two events.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1667 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1566.004Spearphishing VoiceT1657Financial TheftT1499Endpoint Denial of ServiceT1485Data DestructionT1489Service StopT1496Resource Hijacking

Same Tactic: Impact

Popular Detections