Defusing the Bomb: How to Recognize and Mitigate Email Bomb Attacks

Overview

At Sedara we’ve observed a recent rise in email bomb attacks. This security bulletin explains what an email bomb is and how attackers use it to launch more harmful attacks. It also outlines practical steps you can take to reduce your risk of becoming a target.

What is an Email Bomb?

An email bomb—also called a registration bomb or link listing attack—is a tactic where a malicious actor signs up a victim for hundreds or thousands of mailing lists. As a result, the victim’s inbox floods with signup confirmation emails. Attackers often automate this process, making it easy to overwhelm someone’s inbox quickly. Since most mailing list signups are free and don’t require authentication, this attack is simple to execute.

At first glance, email bombs may seem like a minor annoyance. However, attackers often use them for more harmful purposes:

• The massive influx of emails can overwhelm the victim’s inbox, causing email providers to disable the account temporarily—essentially creating a denial-of-service situation.

• Attackers use the spam to bury critical notifications, such as alerts about suspicious account activity or recent financial transactions.

• The sign-up spam can serve as a setup for a social engineering attack, which we’ll explore more below.

Defending against email bombs is challenging. Anyone can sign up an email address for public mailing lists, and most email filters won’t block confirmation emails from legitimate sources. This makes email bombs easy to launch and difficult to stop. While they might seem minor on their own, attackers often use them to conceal or set up more serious threats.

Email Bombs as a Pretext for Social Engineering

One of the more nefarious reasons why malicious actors conduct email bomb attacks is to use them as a pretext to conduct a successful phishing campaign. Phishing attacks are the most dangerous when users are distracted or stressed and when their pretext seems believable. Consider the following chain of events which have been observed in actual successful attacks:

• A malicious actor conducts an email bomb by signing up a victim for unsolicited email.
• The victim receives a sudden deluge of email from mailing lists.
• The malicious actor conducts a phishing attack by contacting the victim through phone or a communication platform like Teams. The malicious actor pretends to be from the victim’s IT department and claims that IT noticed the victim received a large amount of spam email. The malicious actor requests that the victim grant the malicious actor access to their device to fix the spam issue.
• The victim grants the malicious actor access to their device, such as via a remote management tool like Microsoft Quick Assist.
• While in control of the victim’s device the malicious actor executes harmful software in order to perform reconnaissance, steal credentials, maintain access, or conduct lateral movement.

In this scenario, the malicious actor carries out a highly effective phishing attack by posing as someone from IT. This works because IT is likely the only department aware of the victim’s sudden flood of unsolicited emails. The attacker uses the email bomb as a pretext to appear trustworthy and helpful.

Keep in mind, email bombs can also support denial-of-service attacks or hide important security alerts and notifications from users.

Mitigations

The email bomb is a difficult attack to defend against as it is easy to conduct and often bypasses traditional email filtering rules. While there is no single prevention for email bomb attacks, there are best practices you should consider implementing to reduce your likelihood of falling victim to these kinds of attacks:

• Conduct Awareness and Training – educate users about this type of attack and the policies in place for interacting with IT. Users should be concerned if they suddenly receive unsolicited email, and they should know what official channels IT would use to communicate with them
• Securely Configure Systems – when malicious actors use email bombs as a pretext to conduct a phishing attack, they will often use a medium other than email, such as phone or an open communications platform like Teams, to contact the victim. By default, Teams allows communication from users outside of the organization. IT should change this setting to only allow Teams communication with pre-approved domains

• Block or Disable Unneeded Remote Management Tools – During phishing attacks, malicious actors often trick users into granting device access through remote management tools like Microsoft Quick Assist. Since Windows includes this software by default, attackers don’t need to convince victims to install anything new. IT teams should proactively block or disable any remote access tools that aren’t officially approved.

• Test Email Filtering – Traditional email filters often fail to block email bomb attacks because the subscription emails come from legitimate sources. IT teams should regularly test their email filtering solutions to evaluate effectiveness and adjust sensitivity settings to align with the organization’s risk tolerance.

Conclusion

Overall, Sedara has seen a recent rise in email bomb attacks. Malicious actors use email bombs for several reasons. These include inconveniencing users, creating denial-of-service conditions, hiding more serious threats, or setting up social engineering attacks. While no single solution can fully prevent email bomb attacks, the strategies above can help reduce their likelihood and impact.

We Can Help

Sedara’s Security Operations Center (SOC) provides 24x7x365 monitoring of your network to detect and respond to malicious attacks. Our Cybersecurity Development Program (CDP) and virtual Chief Information Security Officers (vCISOs) can help assess your current cybersecurity program. They also guide you in implementing improvements tailored to your organization’s needs.

Contact us today to learn more and schedule a consultation.