The tactic has gained popularity among threat actors because the individual emails often appear legitimate and bypass traditional security filters, as they typically originate from actual subscription services to which victims have been unknowingly registered. Email bombing attacks have emerged as a sophisticated technique in cybercriminals’ arsenals, designed to overwhelm targets’ inboxes while concealing more malicious activities beneath the flood of messages. The behavioral analysis capabilities of Darktrace/EMAIL identified this unusual pattern despite all messages successfully bypassing the organization’s reputable Security Email Gateway (SEG). These attacks involve sending hundreds or thousands of emails to victims within a short timeframe, creating digital noise that makes it difficult for both users and security systems to identify truly threatening communications. Attackers leverage the chaos created by the influx of messages to hide social engineering attempts or malicious emails containing ransomware, credential phishing links, or other harmful payloads. Following the email bombardment, the threat actors initiated voice phishing (vishing) attempts through Microsoft Teams, impersonating the organization’s IT department to establish trust and create a sense of urgency. Although these connection attempts failed in this instance, they demonstrate the attackers’ methodology for expanding their control once initial access is gained through the email bombing distraction technique. What makes these attacks particularly effective is their ability to circumvent standard email security tools, which typically analyze messages individually rather than identifying patterns across message volumes. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Darktrace analysts identified a sophisticated implementation of this technique in early 2025, when their systems detected a customer being targeted with over 150 emails from 107 unique domains in under five minutes. This LDAP scanning was followed by network reconnaissance, where the attackers initiated scans of the customer’s environment and attempted connections to other internal devices. They proceeded to make multiple SMB sessions and NTLM authentication attempts to internal systems—a common technique for lateral movement within compromised networks. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. During this interaction, the attackers convinced the user to share credentials, ultimately providing access to the Microsoft Quick Assist remote management tool. This activity represents a classic post-exploitation pattern where attackers gather intelligence about the network environment before expanding their foothold.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 13 Apr 2025 09:40:06 +0000