
Cybercriminals are breathing new life into a tried-and-tested spam attack, using the technique to boost their phishing and ransomware attempts.
What is email bombing?
This technique, called email bombing or ‘spam bombing’, sees attackers use a botnet to flood their victim’s inbox with a deluge of emails in a short amount of time.
These emails could be anything – the subject doesn’t really matter – ranging from nonsense text to registration emails, which are likely to whizz past email spam filters.
Emails tend to vary by sender, topic and language, according to analysis from security firm Darktrace, which, in one attack, discovered 150 emails from 107 unique domains sent in under five minutes. Many of these emails were sent using email-marketing platforms such as Mailchimp, making them appear legitimate.
The dangers of email bombing
At first glance, the attack appears more of a nuisance than a serious cyber threat. But serious cyber threat it is. An attacker could, for instance, crowd their victim’s inbox with so many emails that malicious activity is hard to spot. That was the case in 2024 when a data scientist found their inbox crammed with thousands upon thousands of messages. Upon closer scrutiny, she wrote, one email did stand out: a fradulent charge via the Apple store for $1,300 (£962). The emails were sent to obfuscate that transaction.
And a new ransomware technique is emerging that combines email bombing with social engineering to potentially devastating effect.
Threat groups, such as Storm:1811, have been documented email bombing their target organisation to overload their inbox. Then, posing as IT support, they follow up with a voice or video call via Microsoft Teams, where they use social engineering to trick their victims into enabling remote access.
Cybersecurity firm Sophos has documented dozens of such attacks occurring since November 2024. And emerging threat actors, such as the new 3AM group, are honing their attacks further. First, they conduct reconnaissance to learn all they can about the victim. Then, they email bomb their target.
And using that information they initially acquired, they spoof the phone number from the target organisation’s IT support, making the communication appear legitimate, before they convince employees to enable remote IT access and begin exfiltrating data or deploying ransomware.
In a recent attack, the group was on system networks for nine days before it was discovered, although ransomware was not successfully deployed.
In addition to email filters and differentiating between internal and external communications, organisations should also carefully monitor the flow of network traffic to spot anomalous activity – and redouble efforts to educate employees about increasingly sophisticated phishing attempts that pose as IT support.

Cybercriminals are breathing new life into a tried-and-tested spam attack, using the technique to boost their phishing and ransomware attempts.
What is email bombing?
This technique, called email bombing or ‘spam bombing’, sees attackers use a botnet to flood their victim’s inbox with a deluge of emails in a short amount of time.