Industry Insights • 10 ΜΙΝ READ

Inbox Overload & Deception: The Dual Threat of Email Bombing and Social Engineering Attacks

by Ninad Chogale, Eleanor Barlow • Jun 2024

The SecurityHQ team have observed a trend of recent email bombing attacks, followed by attempts to trick users into downloading malicious software via social engineering techniques.

What has also been observed, is the fact that the targeted organizations seem almost helpless to respond to this specific incident.

What is Email Bombing?

Email bombing is, essentially, a denial-of-service attack on emails. This cyber-attack involves sending a huge number of emails to specific users or organization-wide users to overflow the mailbox or email server. This type of attack can be executed for various reasons, including inter-organization conflicts, hacktivism, extortion, or even to hide more serious attacks.

Types of Email Bombing

  • Mass Subscription Bombing – Attackers sign-up the targeted organizations email addresses to multiple subscription services via scripting or using Bots.
  • Mass Mailing – Attacker sends thousands of emails from different sources to multiple users.
  • Attachment Bombing – Attacker send multiple email with large attachments or a zip file which consumes server resources when decompressed.

Attack Methodology

SecurityHQ are observing organizations flooded with emails from various senders, targeting all users. Most of the emails come from subscription services and are designed to look like part of a phishing email attack. Each email contains different links, and subject lines with encrypted keywords, and recipient email addresses with case-insensitive words. However, the attacker is not attempting to compromise users via phishing links. Instead, the attacker calls specific teams within the organization (such as finance or business) claiming to be IT support from the company.

The actors then impersonate the name of an internal user to gain the user’s confidence. Later, the attacker connects with the users, asking them to run multiple PowerShell scripts or directly requesting a remote session to execute malicious scripts themselves.

In some cases, attackers have been seen installing remote access tools like Anydesk, TeamViewer or even Microsoft Quick Assist. So far, based on the Indicators of Compromise (IOCs), the attackers do not appear to be associated with specific Advanced Persistent Threat (APT) or ransomware groups.

SecurityHQ’s Recommendations and Preventive Measures

  1. Use spam filters to identify subscription-based emails and block them before reaching users’ inboxes.
  2. Apply email rate limiting on email security solution.
  3. Be wary of contacts and meeting requests from outside of your organization.
  4. Implement strict Sender Policy Framework (SPF), Domain Message Authentication Reporting & Conformance (DMARC), and DomainKeys Identified Mail (DKIM) policies on mail servers.
  5. Users should avoid using work emails to subscribe to non-business-related sites.
  6. Raise user awareness about social engineering tactics
  7. Disable PowerShell scripting on normal workstations/laptops.
  8. Consider uninstalling Quick Assist and other remote monitoring and management tools if these tools are not in use in the environment.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats, tracking activities of threat-actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape. 

For more information on this threat, speak to an expert here. Or if you suspect a security incident, you can report an incident here.