Threat actors are always attempting to devise sophisticated, advanced attack tactics, and they frequently do so by building on tried-and-true methods of old, as demonstrated by a new surge in email spam bomb attacks. Email bombing consists of sending a large number of emails to overwhelm users and systems, leading to disrupted operations and failure to detect malicious emails among the flurry. Spam bombing is a form of email bombing that uses spam emails.
These methods are similar to attackers using Domain Generation Algorithms (DGA) in Command-and-Control communications (C2), which attempt to hide malicious connections in hectic activity. Email bombs can occur unintentionally, but the current spike in spam bombing attacks has been analyzed by AI and cyber defense company Darktrace and is thought to originate from threat actors.
Anatomy of a Spam Bomb Attack
A spam bombing attack consists of multiple steps. The attacker signs up the target’s email address for a large number of mass mailing lists, which leads to their inbox being flooded with newsletters and promotional content. The goal is to create an influx of emails that is difficult for any user to wade through. This overwhelms the target and masks the delivery of critical malicious messages, such as fraudulent invoices and phishing emails.
The attacker then often follows up with a social engineering tactic, impersonating IT or customer support when the target reaches out for help with the inundation of spam emails. One prominent method for this stage of the attack is to use vishing or deepfake videos to fool the target into believing that the attacker is part of customer support. They use this advanced social engineering method to gain access to the target device and carry out further malicious activity, from reconnaissance to malware deployment.
Real-World Exploitation: Darktrace Case Study
From February to March of 2025, Darktrace detected a cluster of similar activity threads initiated by a malicious actor launching an email spam bomb attack. Some of these attacks involved malicious manipulation of MailChimp’s Mandrill extension, a tool with legitimate use cases, but which attackers can leverage for nefarious purposes to send their malicious emails and obtain detailed reports on target interaction. Some attacks were seen using Microsoft Quick Assist to load files in an attempt to achieve lateral movement. After the attacks, target devices were seen carrying out LDAP reconnaissance activities to initiate network scans and failed SMB session requests, such as NTLM authentication attempts.
Darktrace’s platforms were able to work in coordination to detect these email spam bombing attacks. EMAIL detected the influx of spam emails and identified the abuse of the Mandrill extension. NETWORK’s AI Analyst detected the scanning and reconnaissance activities carried out by the target devices after communication with the threat actors through Teams or vishing. The IDENTITY platform detected anomalous and suspicious activity through integration with Microsoft Defender, helping to locate the aberrant Quick Assist requests.
Why Traditional Email Gateways Fail
“The real challenge is detecting these behavioral anomalies rather than relying on content-based filters,” says J Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext. “Solutions that focus on identifying unusual patterns in email activity and rapid registration bursts are key to staying ahead of this evolving tactic. If you have a solution looking for traditional Spam, it won't capture these.” While email bombing is an old tactic, the new ways that bad actors are perpetrating these attacks make them more difficult to defend against. Traditional forms of email protection are liable to fail to detect and block email spam bombing attacks for a variety of reasons.
Legacy email security solutions are designed to focus on evaluating individual messages for indicators of an attack, rather than holistic pattern recognition to understand messages in context and detect large influxes of suspicious emails. These solutions are also unable to detect the type of swarm behavior coming from legitimate services that have been compromised by attacks, and they lack adaptive response capabilities to continuously improve threat detection and response in the face of a shifting digital landscape.
Rise of Ransomware-as-a-Service
These email spam bombing attacks may be a recent spike, but they are connected to broader threat trends of the past few years. Ransomware-as-a-Service (RaaS) has been on the rise, lowering the bar for entry for cybercriminals to launch catastrophic ransomware attacks that endanger sensitive data, disrupt operations, and cost organizations resources, revenue, and reputation. The RaaS group known as BlackBasta, or Storm-1811, has been observed using email spam bombing techniques.
Email spam bombing also has ties to human-centric manipulation tactics. Vishing and other forms of social engineering often enable attackers to compromise accounts and devices in the wake of email bombing attacks, posing as customer support or IT. These additional tactics empower further nefarious action and help attackers capitalize on their usage of email bombing. These attacks are also becoming more and more sophisticated in line with general threat trends, as attackers have been known to layer benign and malicious components to muddy the waters and evade detection.
Implications for Enterprise Security
The effective use of email spam bombing and other tactics in these attacks has disturbing implications for the security of organizations. The overwhelming volume of emails creates a lot of noise that traditional security tools cannot cut through to identify indicators of breached data and compromised systems. Human users and security teams are equally unable to analyze these large volumes of data and identify threats at the scale needed. There is a need for integrated, AI-driven email, network, and identity protection to detect anomalous behavior and protect against modern threat tactics.
Using AI in cybersecurity is a balancing act, and it is important for organizations to take the various tradeoffs and differences between human insight and autonomous response into consideration. Autonomous incident response helps with large volumes of threat behavior, but human oversight is important to ensure that AI tools are carrying out sound and secure tasks.
Securing the Signal Amid the Spam
The recent surge in email spam bombing attacks should serve to drive home the need for enterprises to evolve their email security strategies beyond the use of static filters. Sophisticated and evolving attack techniques call for adaptable security strategies. Legacy security tools often search for known threats, but the dangers of evolving and emerging attacks require solutions with AI capabilities to perform behavioral analysis. The future of email security rests in organizations’ ability to integrate dynamic security solutions and human incident response efforts in a secure and effective way.
