Detect Email Bombing in Splunk
This detection identifies email bombing attacks where adversaries flood targeted mailboxes with high volumes of inbound messages to disrupt operations, bury legitimate security alerts, or distract victims from concurrent malicious activity. The detection monitors for abnormal spikes in inbound email volume to specific recipients within short time windows, particularly identifying patterns consistent with automated list-subscription bombing (many unique senders, low-value content, rapid delivery) versus legitimate bulk mail. Email bombing is frequently observed as a precursor to vishing attacks where threat actors (notably Storm-1811) follow up with fraudulent IT support calls, making timely detection critical for preventing downstream credential theft or ransomware deployment.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1667 Email Bombing
- Canonical reference
- https://attack.mitre.org/techniques/T1667/
SPL Detection Query
index=* (sourcetype="o365:management:activity" OR sourcetype="ms:o365:defender:emailevents" OR sourcetype="exchange:message_tracking")
| search (Operation="Receive" OR RecordType="ExchangeItem" OR event_type="EmailReceived" OR ClientInfoString="*MailboxDelivery*")
| eval recipient=coalesce('RecipientEmailAddress', 'MailboxOwnerUPN', 'recipient_address')
| eval sender=coalesce('SenderEmailAddress', 'SenderFromAddress', 'sender_address')
| eval sender_domain=replace(sender, "^[^@]+@", "")
| where isnotnull(recipient) AND recipient!=""
| bucket _time span=30m
| stats
count as EmailCount,
dc(sender) as UniqueSenders,
dc(sender_domain) as UniqueDomains,
values(sender_domain) as SenderDomains,
values(Subject) as SubjectSamples,
min(_time) as FirstSeen,
max(_time) as LastSeen
by _time, recipient
| where EmailCount >= 100
| eval EmailsPerMinute=round(EmailCount/30, 2)
| eval SenderDiversityRatio=round(UniqueSenders/EmailCount, 3)
| eval BurstDurationSeconds=(LastSeen - FirstSeen)
| eval BurstDurationMinutes=round(BurstDurationSeconds/60, 1)
| eval BombingType=case(
UniqueSenders>=50 AND EmailCount>=200, "List Subscription Bombing",
UniqueSenders>=20 AND EmailCount>=100, "Automated Bombing",
UniqueSenders<5 AND EmailCount>=100, "Single Source Flood",
1==1, "Anomalous Volume")
| eval Severity=case(
EmailCount>=500, "Critical",
EmailCount>=200, "High",
EmailCount>=100, "Medium",
1==1, "Low")
| sort - EmailCount
| table _time, recipient, EmailCount, UniqueSenders, UniqueDomains, EmailsPerMinute, SenderDiversityRatio, BurstDurationMinutes, BombingType, Severity, SubjectSamples, SenderDomainsDetects email bombing by aggregating inbound message counts per recipient across 30-minute windows using Office 365 management activity or Exchange message tracking logs. Computes sender diversity ratios to distinguish list-subscription bombing (many unique senders from automated newsletter registrations) from single-source floods, and classifies severity based on volume thresholds.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate marketing automation platforms sending high-volume transactional email notifications to distribution lists
- IT monitoring and alerting systems (PagerDuty, Nagios, Datadog) generating notification storms during infrastructure outages
- User accounts that have legitimately opted into many newsletter subscriptions or event mailing lists producing elevated baseline volume
- Help desk or shared mailboxes that routinely receive high volumes of inbound requests during business hours
Other platforms for T1667
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Email Bombing via PowerShell SMTP Flood to Test Mailbox
Expected signal: EmailEvents table in Microsoft Defender for Office 365 will show 150 inbound messages to [email protected] within a 10-minute window. OfficeActivity logs will reflect delivery events.
- Test 2List Subscription Bombing Simulation via Curl (Linux)
Expected signal: Network proxy logs will show repeated POST requests to external web endpoints from the test host. Email gateway logs will reflect inbound confirmation messages from diverse sender domains if real newsletter endpoints are used.
- Test 3Validate Vishing Precursor Pattern — Email Bomb + RAT Execution Sequence
Expected signal: Sysmon Event ID 1 will capture anydesk.exe process creation with parent process, command line, and user context. DeviceProcessEvents in Microsoft Defender will record the process. Combined with synthetic email bombing telemetry, the hunting query should correlate the two events.
References (6)
- https://attack.mitre.org/techniques/T1667/
- https://news.sophos.com/en-us/2024/11/19/our-mdr-team-discovers-a-novel-attack-that-uses-teams-and-anydesk-in-combo-with-email-bombing/
- https://krebsonsecurity.com/2016/06/sign-up-for-email-lists-its-a-bomb/
- https://www.hhs.gov/sites/default/files/email-bombing-sector-note-tlpclear.pdf
- https://www.rapid7.com/blog/post/2024/09/17/storm-1811-abuses-quick-assist-in-ransomware-attack/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misuse-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
Unlock Pro Content
Get the full detection package for T1667 including response playbook, investigation guide, and atomic red team tests.