title: Email Bombing (T1667)
id: df00tech-t1667
status: experimental
description: "This detection identifies email bombing attacks where adversaries flood targeted mailboxes with high volumes of inbound messages to disrupt operations, bury legitimate security alerts, or distract victims from concurrent malicious activity. The detection monitors for abnormal spikes in inbound email volume to specific recipients within short time windows, particularly identifying patterns consistent with automated list-subscription bombing (many unique senders, low-value content, rapid delivery) versus legitimate bulk mail. Email bombing is frequently observed as a precursor to vishing attacks where threat actors (notably Storm-1811) follow up with fraudulent IT support calls, making timely detection critical for preventing downstream credential theft or ransomware deployment."
references:
  - https://attack.mitre.org/techniques/T1667/
  - https://df00tech.com/detections/T1667
author: df00tech
date: 2026/03/20
tags:
  - attack.t1667
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Large marketing campaigns or product launches where the organization receives legitimate high-volume replies or registrations
  - IT monitoring systems generating notification floods due to alerting misconfiguration or infrastructure incidents affecting many monitored systems simultaneously
  - Users who have voluntarily subscribed to multiple high-volume newsletters or mailing lists (adjust threshold or add recipient exclusions for known high-volume users)
  - Internal all-hands or organization-wide email distributions that generate large reply volumes
  - Conference or event registration confirmations and subsequent mailing list enrollments following legitimate user sign-ups
level: high