At a Glance
- Email Bombing campaigns overwhelm inboxes with thousands of junk emails.
- Attackers exploit user frustration to launch help desk impersonation scams.
- SOC observed misuse of Quick Assist for unauthorized remote access attempts.
- Attackers use automation and randomization to evade spam filters.
Executive Summary
Email Bombing (also called “Email Blast” or “Inbox Stuffing”) has re-emerged as a disruptive tactic against enterprises. At first glance, the attack looks like an ordinary spam flood, but it often serves a dual purpose:
- To distract users and hide critical alerts (e.g., account takeovers, subscription confirmations).
- To enable social engineering follow-ups, where scammers impersonate IT or Microsoft support and trick victims into granting remote access.
While the initial wave may appear harmless or annoying, the real risk lies in post-bombing engagement, which can lead to credential theft, data compromise, and financial fraud.
What’s Happening?
The Email Bombing Tactic
- Attackers use automated tools to send thousands of emails to a single target in a short span.
- Subjects and senders vary randomly to bypass filters.
- Bulk messages are often redirected to Junk/Spam, but enough slip through to overwhelm users.
The Social Engineering Angle
- Once frustration sets in, attackers call or email the victim, posing as IT support.
- They claim to “fix the spam issue” and guide users to use Quick Assist (or similar remote tools).
- Users are tricked into sharing session codes, granting attackers full remote access.
- In some observed cases, attackers hid password reset or MFA alerts under the flood of spam.
Why This Matters to Our Clients
- Operational Disruption: Users spend hours sorting inboxes instead of working.
- Distraction Risk: Real alerts (e.g., financial fraud, account takeovers) may be missed.
- Social Engineering Escalation: Remote access via Quick Assist = full device compromise.
- Brand Damage: Employees misled by impersonators could lose trust in internal IT.
ProArch SOC Observations
- Recent case: Targeted user received thousands of emails in a short timeframe.
- 99% landed in Junk folder, but user was still overwhelmed.
- SOC confirmed spammer IPs and domains were blocked, inbox cleaned as much as possible.
- Follow-up calls impersonating Microsoft support were attempted post-attack.
- This aligns with global threat intel reporting spikes in email bombing-for-distraction campaigns.
Recommendations
User Awareness:
- Educate employees to recognize fake IT/Microsoft calls after email floods.
- Reinforce: IT/SOC will never ask users to install or share Quick Assist codes with external parties.
Technical Defences:
- Enhance spam filter rules with bulk-detection thresholds.
- Implement mailbox protection tools that flag sudden surges.
- Monitor for unusual account activity during/after bombing events.
Response Playbook:
- If email bombing is detected, SOC to block sending IPs/domains and purge affected inboxes.
- Encourage users to report any post-attack calls or emails claiming to be IT/Microsoft.
- Escalate suspicious Quick Assist or remote tool use for forensic review.