Microsoft introduces protection against email bombing

By the end of July 2025, all Microsoft Defender for Office 365 customers should be protected from email bombing attacks by default, Microsoft has announced on Monday.

What is email bombing?

Email bombing (aka spam bombing) is an attack technique that results in large volumes of email messages being sent to one or more target email addresses.

It used to be performed by signing the target email address up to email list subscriptions, but these days it’s usually performed with the help of bot(net)s, and the content of the emails can be anything that’s likely to fool email defenses.

Email bombing is often deployed by attackers to hide a security-relevant email notification in a sea of spam or to create a diversion while another aspect of the attack unfolds in the background.

Relatively recently, email bombing started getting coupled with phishing: the target’s email inbox gets flooded with thousands of emails, and a few minutes later they are contacted via phone, Zoom, or Microsoft Teams by the attackers impersonating the organization’s IT support or managed IT services provider and offering help with the situation.

If the target accepts, they are usually instructed to download and install remote access software.

As Sophos MDR experts recently pointed out, the email bombing part of the attack pushes the target into letting their defenses down.

“This type of attack is brilliant because it creates a sense of urgency and legitimacy, making victims more likely to accept remote assistance and inadvertently allow malware planting or data theft,” says Urja Gandhi, Senior Product Manager at Microsoft.

How will this protection against email bombing work?

Organizations usually try to block email bombing attacks by building their own mail flow rules, but Microsoft wanted to create a more comprehensive solution within its cloud-based email security suite.

“By intelligently tracking message volumes across different sources and time intervals, this new detection leverages historical patterns of the sender and signals related to spam content,” Gandhi explained. “It prevents mail bombs to be dropped into the user’s inbox and the messages are rather sent to the Junk folder (of Outlook).”

Customers don’t need to worry that emails coming from senders that the organization or employee put on the Safe Senders list will not be delivered – those lists will still be honored.

This new detection feature is currently being rolled out to customers worldwide. It will be on by default, and will require no manual configuration from admins.

At the same time, organizations’ security teams will maintain visibility into these attacks, as its SOC analysts will be able to:

• Get notifications when a mail bombing attack is happening
• Analyze the frequency and volume of mailbombing attacks that employees have been targeted with
• Investigate, filter and hunt for threats related to mail bombing.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!