Email bombing attacks involve an adversary sending a large volume of malicious emails to overwhelm a target’s mailbox and disrupt normal operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential disruptions before they escalate into more severe incidents.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| make-series Emailcount = count()
on Timestamp step 1h by RecipientObjectId
| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
| where Anomalies != 0
| where AnomalyScore >= 10
id: 24eb9c13-c188-4b3c-8e89-654e56ce4c56
name: Hunt for email bombing attacks
description: |
This query helps to hunt for possible email bombing attacks in Microsoft Defender for Office 365.
description-detailed: |
In this type of attacks threat actors initiate link listing attacks - a type of email bombing attack, where threat actors sign up targeted emails to multiple email subscription services to flood email addresses indirectly with subscribed content.
More details: https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/ and https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| make-series Emailcount = count()
on Timestamp step 1h by RecipientObjectId
| extend (Anomalies, AnomalyScore, ExpectedEmails) = series_decompose_anomalies(Emailcount)
| mv-expand Emailcount, Anomalies, AnomalyScore, ExpectedEmails to typeof(double), Timestamp
| where Anomalies != 0
| where AnomalyScore >= 10
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled Email Backup Job
Description: A legitimate scheduled job runs a backup script that sends a large volume of emails to a backup mailbox.
Filter/Exclusion: Exclude emails sent to a specific backup mailbox (e.g., backup@company.com) or filter by the source IP of the backup server.
Scenario: Automated Email Reporting Tool
Description: A tool like Power Automate or Microsoft Flow is used to generate and send daily reports to multiple stakeholders, resulting in a high volume of emails.
Filter/Exclusion: Exclude emails sent from a known automation account (e.g., automation@company.com) or filter by the subject line containing “Report” or “Daily Summary”.
Scenario: Admin Task: User Password Reset Emails
Description: An admin task using Azure AD Password Protection or Microsoft 365 Admin Center sends password reset emails to multiple users.
Filter/Exclusion: Exclude emails sent to users in the users@company.com domain or filter by the sender email address of the admin service (e.g., admin@company.com).
Scenario: Internal Collaboration Tool Sync
Description: A tool like Microsoft Teams or SharePoint syncs calendar invites or meeting reminders across multiple users, leading to a high volume of emails.
Filter/Exclusion: Exclude emails with a subject line containing “Meeting” or “Calendar Invite” or filter by the sender email address of the collaboration tool (e.g., teams@company.com).
Scenario: User-Driven Email Forwarding Rule
Description: A user has set up an email forwarding rule in Outlook or Exchange Online that forwards emails to multiple recipients, mimicking an email bombing pattern.
Filter/Exclusion: Exclude emails sent from