T1667: Email Bombing
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.[1][2]
An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.[2][3]
By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.[3] This behavior can also be used as a tool of harassment.[2]
This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft[1], or engage in other malicious activity.[4]
Analyst context for executives and security teams
Email Bombing matters because it can turn the corporate inbox into a denial-of-attention problem. A flood of messages may hide security alerts, help desk tickets, customer communications, or fraud-related correspondence at the exact moment users and responders need clarity. ATT&CK also notes it can precede voice-based social engineering where the attacker offers fake help, potentially leading to remote access software use, credential theft, ransomware deployment, or financial theft.
Executive priority
Treat this as an operational resilience and incident-readiness issue, not just spam. Leaders should ask whether critical mailboxes, executives, help desk staff, finance teams, and security alert recipients can still see and escalate legitimate messages during a mail flood. Priority decisions should focus on email platform configuration, user reporting paths, SOC monitoring for abnormal inbound volume, and playbooks for suspected email bombing followed by unsolicited support calls.
Technical view
This is an enterprise ATT&CK impact technique affecting Linux, Windows, macOS, and Office Suite contexts through the email workflow rather than a host exploit. SOC and IR teams should validate coverage against sudden, high-volume inbound messages to one or more targeted addresses, especially when paired with reports of unsolicited phone calls or requests to install remote access software. Relationship context identifies DET0355 as a detection strategy for Email Bombing, M1017 User Training and M1054 Software Configuration as mitigations, and Storm-1811 as a group reported by ATT&CK to use this behavior in social-engineering mechanisms.
Likely telemetry
- Email security gateway and mail platform logs showing inbound message volume, sender diversity, recipient targeting, delivery disposition, and quarantine actions
- Mailbox audit or message trace data for affected users and shared mailboxes
- Help desk and user-reported security tickets describing inbox flooding, missed messages, or suspicious follow-up calls
- Security alert delivery telemetry to determine whether alerts were buried, delayed, or missed
- Collaboration or phone-report records where users report fake help desk contact after the mail flood
Detection direction
- Baseline normal inbound email volume for high-risk users, shared mailboxes, help desk queues, finance, executives, and security alert recipients; alert on sudden spikes to a narrow recipient set.
- Tune detections to distinguish marketing bursts or legitimate list subscriptions from rapid, abnormal subscription-based floods that impair mailbox usability.
- Correlate email bombing reports with social-engineering indicators, especially unsolicited assistance offers and requests involving remote access software.
- Validate that alerting does not rely solely on the same mailbox being flooded; use SOC queues, SIEM notifications, or alternate escalation paths where possible.
- Use the ATT&CK relationship to DET0355 as a prompt to review the relevant detection strategy, but confirm applicability against local mail architecture and logging.
Mitigation priorities
- Prioritize user training so employees recognize email bombing as a security event, preserve evidence, and avoid engaging with unsolicited callers offering help.
- Review email and office suite configuration controls for subscription floods, bulk-mail handling, rate-based filtering, quarantine, and mailbox rules that could reduce operational disruption.
- Establish an incident playbook for targeted mail floods, including alternate communications, help desk verification procedures, and escalation to security operations.
- Protect critical business and security workflows by ensuring important alerts, tickets, and approvals are not dependent on a single overwhelmed inbox.
- After an event, review whether legitimate messages were missed and whether follow-on social-engineering attempts occurred.
Analyst notes and limits
The supplied ATT&CK object places Email Bombing under the Impact tactic and describes business disruption, alert burial, harassment, and possible use before spearphishing voice activity. The Storm-1811 relationship is relevant for threat-intelligence context, but it should not be treated as attribution for a local incident without additional evidence.
ATT&CK provides no official detection text for this technique in the supplied fields, and DET0355 details are not included here beyond the relationship name. Local email platform capabilities, logging retention, mail routing, and business-critical mailbox design will determine practical coverage.
Email Bombing
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.[1][2]
An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.[2][3]
By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.[3] This behavior can also be used as a tool of harassment.[2]
This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft[1], or engage in other malicious activity.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1046: Storm-1811
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.[1][2][3][4]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0957b8762827… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
sophos-bombing
Mark Parsons, Colin Cowie, Daniel Souter, Hunter Neal, Anthony Bradshaw, Sean Gallagher. (2025, January 21). Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”. Retrieved January 31, 2025.
Open source URL -
[2]
krebs-email-bombing
Brian Krebs. (2016, August 18). Massive Email Bombs Target .Gov Addresses. Retrieved January 31, 2025.
Open source URL -
[3]
hhs-email-bombing
U.S. Department of Health and Human Services. (2024, March 12). Defense and Mitigations from E-mail Bombing. Retrieved January 31, 2025.
Open source URL -
[4]
rapid7-email-bombing
Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
Open source URL -
[5]
mitre-attack T1667Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.