Detect Email Bombing in Microsoft Sentinel
This detection identifies email bombing attacks where adversaries flood targeted mailboxes with high volumes of inbound messages to disrupt operations, bury legitimate security alerts, or distract victims from concurrent malicious activity. The detection monitors for abnormal spikes in inbound email volume to specific recipients within short time windows, particularly identifying patterns consistent with automated list-subscription bombing (many unique senders, low-value content, rapid delivery) versus legitimate bulk mail. Email bombing is frequently observed as a precursor to vishing attacks where threat actors (notably Storm-1811) follow up with fraudulent IT support calls, making timely detection critical for preventing downstream credential theft or ransomware deployment.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1667 Email Bombing
- Canonical reference
- https://attack.mitre.org/techniques/T1667/
KQL Detection Query
let VolumeThreshold = 100;
let TimeWindow = 30min;
let LookbackPeriod = 2h;
EmailEvents
| where Timestamp > ago(LookbackPeriod)
| where EmailDirection == "Inbound"
| where DeliveryAction != "Blocked"
| summarize
EmailCount = count(),
UniqueSenders = dcount(SenderFromAddress),
UniqueDomains = dcount(SenderFromDomain),
SenderDomainSamples = make_set(SenderFromDomain, 20),
SubjectSamples = make_set(Subject, 10),
FirstMessageTime = min(Timestamp),
LastMessageTime = max(Timestamp)
by RecipientEmailAddress, bin(Timestamp, TimeWindow)
| where EmailCount >= VolumeThreshold
| extend
EmailsPerMinute = round(toreal(EmailCount) / 30.0, 2),
SenderDiversityRatio = round(toreal(UniqueSenders) / toreal(EmailCount), 3),
BurstDurationMinutes = datetime_diff('minute', LastMessageTime, FirstMessageTime)
| extend
BombingIndicator = case(
UniqueSenders >= 50 and EmailCount >= 200, "High Confidence - List Subscription Bombing",
UniqueSenders >= 20 and EmailCount >= 100, "Medium Confidence - Automated Bombing",
UniqueSenders < 5 and EmailCount >= 100, "Low Confidence - Single Source Flood",
"Anomalous Volume"
)
| project
WindowStart = Timestamp,
RecipientEmailAddress,
EmailCount,
UniqueSenders,
UniqueDomains,
EmailsPerMinute,
SenderDiversityRatio,
BurstDurationMinutes,
BombingIndicator,
SubjectSamples,
SenderDomainSamples
| order by EmailCount descDetects email bombing attacks by monitoring inbound email volume spikes per recipient within 30-minute windows using Microsoft Defender for Office 365 EmailEvents data. Identifies list-subscription bombing patterns (high sender diversity, high volume) and single-source flooding. Classifies confidence based on sender diversity ratios characteristic of automated newsletter registration bots versus targeted spam campaigns.
Data Sources
Required Tables
False Positives & Tuning
- Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
- IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
- Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)
- Internal all-hands or organization-wide email distributions that generate large reply volumes
- Conference or event registration confirmations and subsequent mailing list enrollments following legitimate user sign-ups
Other platforms for T1667
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Email Bombing via PowerShell SMTP Flood to Test Mailbox
Expected signal: EmailEvents table in Microsoft Defender for Office 365 will show 150 inbound messages to [email protected] within a 10-minute window. OfficeActivity logs will reflect delivery events.
- Test 2List Subscription Bombing Simulation via Curl (Linux)
Expected signal: Network proxy logs will show repeated POST requests to external web endpoints from the test host. Email gateway logs will reflect inbound confirmation messages from diverse sender domains if real newsletter endpoints are used.
- Test 3Validate Vishing Precursor Pattern — Email Bomb + RAT Execution Sequence
Expected signal: Sysmon Event ID 1 will capture anydesk.exe process creation with parent process, command line, and user context. DeviceProcessEvents in Microsoft Defender will record the process. Combined with synthetic email bombing telemetry, the hunting query should correlate the two events.
References (6)
- https://attack.mitre.org/techniques/T1667/
- https://news.sophos.com/en-us/2024/11/19/our-mdr-team-discovers-a-novel-attack-that-uses-teams-and-anydesk-in-combo-with-email-bombing/
- https://krebsonsecurity.com/2016/06/sign-up-for-email-lists-its-a-bomb/
- https://www.hhs.gov/sites/default/files/email-bombing-sector-note-tlpclear.pdf
- https://www.rapid7.com/blog/post/2024/09/17/storm-1811-abuses-quick-assist-in-ransomware-attack/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
Unlock Pro Content
Get the full detection package for T1667 including response playbook, investigation guide, and atomic red team tests.