Microsoft claims that the cloud-based email security suite Defender for Office 365 can now automatically detect and prevent email bombing attacks.
Defender for Office 365 (previously known as Office 365 Advanced Threat Protection or Office 365 ATP) guards organisations working in high-risk industries and dealing with sophisticated attackers from malicious threats delivered via email messages, links, or collaboration tools.
"We're introducing a new detection capability in Microsoft Defender for Office 365 to help protect your organization from a growing threat known as email bombing," Redmond notes in a Microsoft 365 message center update.
"This form of abuse floods mailboxes with high volumes of email to obscure important messages or overwhelm systems. The new 'Mail Bombing' detection will automatically identify and block these attacks, helping security teams maintain visibility into real threats.”
In late June 2025, the new 'Mail Bombing' feature began to roll out, and by late July, it should be available to all organisations. All messages detected as being a part of a mail bombing operation will be automatically routed to the Junk folder, require no manual configuration, and be toggled on by default.
Security operations analysts and administrators can now employ Mail Bombing as a new detection type in Threat Explorer, the Email entity page, the Email summary panel, and Advanced Hunting, the company announced over the weekend.
By leveraging specialised cybercrime services that can send a high number of emails or by subscribing to several newsletters, attackers can use mail bombing operations to bombard their targets' email inboxes with thousands or tens of thousands of messages in a matter of minutes.
In the majority of cases, the perpetrators' ultimate goal is to overwhelm email security systems as part of social engineering schemes, creating the way for malware or ransomware operations that can aid in the exfiltration of sensitive data from victims' compromised devices.
Email bombing has been used in attacks by cybercrime and ransomware outfits for more than a year. It all started with the BlackBasta gang, who employed this approach to flood their victims' mailboxes with emails just minutes before beginning their attacks.
In order to deceive overwhelmed staff members into allowing remote access to their devices via AnyDesk or the integrated Windows Quick Assist application, they would follow up with voice phishing cold calls, pretending to be their IT support teams. Before unleashing ransomware payloads, the attackers would proceed laterally through corporate networks after penetrating their systems and deploying a variety of malicious tools and malware implants.
