Email bombing attacks have emerged as a sophisticated technique in cybercriminals’ arsenals, designed to overwhelm targets’ inboxes while concealing more malicious activities beneath the flood of messages.These attacks involve sending hundreds or thousands of emails to victims within a short timeframe, creating digital noise that makes it difficult for both users and security systems to identify truly threatening communications.The tactic has gained popularity among threat actors because the individual emails often appear legitimate and bypass traditional security filters, as they typically originate from actual subscription services to which victims have been unknowingly registered.The primary objective of email bombing extends beyond mere disruption.Attackers leverage the chaos created by the influx of messages to hide [social engineering](https://cybersecuritynews.com/hackers-using-advanced-social-engineering-techniques/) attempts or malicious emails containing ransomware, credential phishing links, or other harmful payloads.Multiple threat actors have adopted this approach, including the notorious Ransomware-as-a-Service group Black Basta (also known as Storm-1811).What makes these attacks particularly effective is their ability to circumvent standard [email security tools](https://cybersecuritynews.com/smtp-test-tools/), which typically analyze messages individually rather than identifying patterns across message volumes.Darktrace analysts [identified](https://www.darktrace.com/blog/email-bombing-exposed-darktraces-email-defense-in-action) a sophisticated implementation of this technique in early 2025, when their systems detected a customer being targeted with over 150 emails from 107 unique domains in under five minutes.The behavioral analysis capabilities of Darktrace/EMAIL identified this unusual pattern despite all messages successfully bypassing the organization’s reputable Security Email Gateway (SEG). Darktrace’s analysis shows the dramatic spike in unusual emails that characterized this attack. .webp) Graph showing the unusual spike in unusual emails (Source — Darktrace)The attack’s impact extended well beyond email disruption. Following the email bombardment, the threat actors initiated voice phishing (vishing) attempts through Microsoft Teams, impersonating the organization’s IT department to establish trust and create a sense of urgency.The victim, already overwhelmed by the email bombing, accepted the call. During this interaction, the attackers convinced the user to share credentials, ultimately providing access to the Microsoft Quick Assist remote management tool.Once inside the network, the attackers’ methodology became increasingly sophisticated. The compromised device began performing LDAP [reconnaissance](https://cybersecuritynews.com/morphing-meerkat-phaas-using-dns-reconnaissance/), attempting to bind to local directory services and query user information. .webp) Cyber AI Analyst investigation (Source — Darktrace)This activity represents a classic post-exploitation pattern where attackers gather intelligence about the network environment before expanding their foothold. # Example of similar LDAP reconnaissance pattern Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, UserPrincipalName, EnabledThis LDAP scanning was followed by network reconnaissance, where the attackers initiated scans of the customer’s environment and attempted connections to other internal devices.They proceeded to make multiple SMB sessions and NTLM authentication attempts to internal systems—a common technique for lateral movement within compromised networks.Although these connection attempts failed in this instance, they demonstrate the attackers’ methodology for expanding their control once initial access is gained through the email bombing distraction technique.**Find this News Interesting! Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), -& [X](https://x.com/The_Cyber_News) to Get Instant Updates!**### **Also Read:**> [AMD CPU Signature Verification Vulnerability Let Attackers Load Malicious Microcode](https://cybersecuritynews.com/amd-cpu-signature-verification-vulnerability/)The post [Threat Actors Use Email Bombing Attacks to Bypass Security Tools -& Hide Activity](https://cybersecuritynews.com/threat-actors-use-email-bombing-attacks/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Black Basta
Blog: Cybersecurity News
TA0043 – Reconnaissance
TA0008 – Lateral Movement
Phishing: Spearphishing Attachment
Phishing
Account Discovery: Domain Account
Associated Indicators: