X-Industry

Spam Bombing is Here

Posted by Jim McKee on April 16, 2025 at 12:00pm

13536336072?profile=RESIZE_400xThreat actors are using a technique known as "spam bombing" to overload victims' email inboxes and provide cover for more harmful activity. Security vendor Darktrace, analysts Maria Geronikolou and Cameron Boyd detailed an example of the technique where the threat actor used a legitimate email campaign product to swarm a victim with spam emails and then attempted to phish them under the guise of a "helpful" IT staffer. The attack is an example of how threat actors use legitimate products for malicious activities and how attackers innovate in the social engineering space. [1]

Spam bombing is considered a variant of email bombing, a technique in which a threat actor overloads a victim's inbox with emails to disrupt their email usage somehow; security researchers often refer to it as a denial-of-service attack. Spam bombing works similarly, but, as the research explains, the emails received are explicitly spam in nature; Geronikolou, who authored the blog post, said "the threat actors sign up the targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content."

In the campaign detailed by Darktrace, the threat actor overloaded victims with spam subscription emails only to send another email posing as IT staff, using the initial spam bombing as the pretext for the IT assistance. The threat actor then aimed to get the prospective victim on a Microsoft Teams call to convince the user to take actions that would ultimately compromise the network.

The technique ultimately extends a threat actor's preexisting social engineering toolkit. However, Nathaniel Jones, vice president of security and AI and field chief information security officer (CISO) at Darktrace, says that email bombing has multiple use cases beyond this. "Attackers use [email bombing] to distract security teams, overwhelm logging systems, hide malicious emails among benign ones, and trigger rate limiting in security tools," Jones says. "Groups like Black Basta incorporate email bombing into sophisticated attack chains leading to ransomware. The technique provides psychological leverage for social engineering and technical advantages that facilitate various network compromise methods."

See: https://redskyalliance.org/xindustry/black-basta-2

For the campaign detailed in the new research, Darktrace tracked a cluster of activity between February and March involving attacks in which a threat actor weaponized emails containing subjects indicating users signed up for newsletters and other subscriptions. Darktrace saw examples of attackers using the Mailchimp email automation platform extension Mandrill.

"This extension allows senders to send personalized one-on-one emails and has genuine use cases. It also features additional integrations such as the 'Custom Tracking Domains' and the 'Inbound Email processing,'" Geronikolou wrote. "In the first case, the attackers can disguise malicious links as legitimate ones while the latter integration can be exploited to gather sensitive information from incoming emails." Threat actors, Geronikolou wrote, often use Mandrill because of its detailed activity reporting capabilities, such as whether a user opens an email.

After swarming targets with otherwise harmless spam emails, the threat actor would attempt to contact the target via Teams, often posing as IT staff. After the call, "Darktrace

Analysts observed that the device belonging to the Email Spam Bomb recipient was engaged in scanning and reconnaissance activities shortly after the Teams communication took place," Geronikolou wrote.

Although certain defensive tools can be helpful, such as a high-quality email gateway, mitigating spam bombing is largely about defending against social engineering attacks. As such, Jones says user training and incident response procedures are "essential."

"Employees should be taught to recognize when they're being manipulated through manufactured problems designed for social engineering," he says. Organizations should develop clear protocols for handling sudden email disruptions and verifying IT support contacts. Creating alternative communication channels for emergencies can provide resilience against these attacks. The key is understanding that email bombing typically signals the beginning of a more sophisticated attack rather than the end goal itself."

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-spam-bombing-malicious-motives

© 2025 Red Sky Alliance Corporation. All rights reserved.

Views: 7
Tags: tr-25-103-003, spam bombing, email bombing, black basta, mailchimp, mandrill
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!