Tick, tick, boom: The growing threat of email bombing 

Executive summary 

  • Email bombing floods inboxes with thousands of messages in minutes, masking potentially critical alerts and creating a denial-of-service on your team’s attention. 
  • Attackers often combine email bombs with social engineering calls, posing as IT support teams and tricking victims into granting remote access. 
  • Microsoft Defender for Office 365’s email bombing detection automatically neutralises these attacks, and it’s rolling out by the end of August 2025 with no need to configure anything. 

Introduction 

Most email spam is annoying, but it’s manageable.  

You simply report it, move it to Junk, and get on with your day. But a newer form of cyberattack, email bombing, takes spam to a whole new level. 

Despite its dramatic name, email bombing is a strategic cyberattack that disrupts your day-to-day workflow and – most importantly – paves the way for far more serious threats.  

When cyberthreats are everywhere today, missing a critical security alert could spell disaster for any organisation, so it’s essential that you’re familiar with email bombing – and the measures companies like Microsoft have put in place to mitigate it.  

Let’s unpack what email bombing is and how you can fight back. 

What is email bombing? 

Email bombing is a “volume” attack.  

In plain English, it’s when an email address is enrolled in large numbers of newsletters, alerts, other subscription services, or is flooded using bulk mailing services in a short space of time. We’re not talking about a handful of emails here, either – imagine receiving a thousand emails in just a few minutes.  

These incoming messages are often legitimate-looking – confirmations, updates or notifications – so they don’t trigger the same instinctive suspicion as obvious spam messages would. Instead, they bury genuine security alerts or urgent client messages under a wall of emails. You might be tempted to select all and delete – but what else might you miss if you do?  

Email bombing is like a denial-of-service (DDoS) attack, but its target is your attention, not your infrastructure.  

Why do attackers use email bombing?  

It’s easy to see that email bombing would be a huge annoyance for the user – but how does it benefit attackers? Why do they bother with a deluge of emails? 

Here’s what they usually do next following a successful email bombing attack: 

  • Social engineering via live contact. While the victim deals with the deluge of emails, attackers make cold calls or send Teams or Zoom messages claiming to be IT, creating urgency to persuade users to follow “quick fix” instructions (which are usually just malware). 
  • Send targeted follow-ups. Attackers can capitalise on the chaos by sending carefully worded follow-up emails – fake invoices, vendor updates, or internal requests – designed to look routine so recipients are less likely to scrutinise them while mentally (and digitally) overloaded. 
  • Trigger account recovery and fish for codes. Attackers initiate password resets, sign-in attempts, or MFA pushes, then call or message the user claiming to help. Under pressure, the user may reveal verification codes or approve a push, giving the attacker a way in. 

Help is on the way 

It’s not just us who have noticed the increase in email bombing attacks – Microsoft has too.  

That’s why Microsoft Defender for Office 365 has introduced a dedicated email bombing detection capability.  

Here’s what you need to know if you’re a Microsoft 365 subscriber: 

  • Intelligent volume tracking. Defender analyses message volumes across senders and time intervals, flagging sudden spikes that match known bombing patterns. 
  • Spam signal integration. By combining sender reputation data with content-based spam signals, the system distinguishes genuine business communications from bombardment campaigns. 
  • Automatic routing. Instead of relying on manual rules or quarantines, suspicious emails are diverted directly to the Junk folder – keeping your inbox uncluttered. 
  • Safe-sender integrity. Trusted senders on your safe list remain unaffected, ensuring no false positives interrupt your critical correspondence. 

Following a successful test which saw 20 – 30 thousand mail bombs blocked daily, the rollout began in early May and is on track to complete by the end of August 2025. 

All Exchange Online Protection and Defender for Office 365 plans include this feature by default, so there’s no extra cost or configuration to take care of – it’ll just work. That’s peace of mind for you, and a bit more security for your team.  

5 ways to prevent email bombing attacks 

If you’re familiar with modern cyberattacks, you’ll know preventing them is like Whack-A-Mole, but prevention is always better than cure. 

Here are 5 ways to avoid email bombing attacks hitting your business: 

  1. Tighten spam and bulk filters. Configure your email gateway and inbox filters to automatically quarantine any unusual email surges before they reach your organisation’s users. 
  2. Enforce Multi-Factor Authentication (MFA). MFA has really become table stakes for organisations today, but it will still prevent many account takeovers, even if passwords are phished or leaked. 
  3.  Train for email bombing scenarios. Run short, scenario-based sessions that show how an inbox flood can be followed by a convincing support call and what your team should do instead. 
  4. Keep software patched and endpoints hardened. Update email clients, remote-access tools, and endpoints to close any known vulnerabilities that attackers may try to exploit after a successful social engineering attempt. 
  5. Define and rehearse an incident playbook. Decide who isolates accounts, who resets credentials, and when to escalate to external support. Test the plan with a tabletop exercise so response is fast and calm. 

          Get support when you need it 

          If you’re wondering how email bombing protection integrates with your existing setup – or if you’d like personalised advice from our experts – reach out to your Get Support Customer Success Manager or call us on 01865 594 000.