Microsoft Defender Stops Email Bombing Attacks in Office 365
▼ Summary
– Microsoft Defender for Office 365 now automatically detects and blocks email bombing attacks, protecting organizations from high-volume email floods.
– The new ‘Mail Bombing’ feature, rolling out from late June to late July 2025, requires no manual setup and moves malicious emails to the Junk folder.
– Email bombing overwhelms inboxes with thousands of messages, often to obscure threats or enable follow-up attacks like malware or ransomware.
– Attackers, including groups like BlackBasta and FIN7, use email bombing to facilitate social engineering, such as phishing for remote access.
– After infiltrating systems, attackers deploy malware to move laterally and execute ransomware, often targeting sensitive data.
Microsoft Defender for Office 365 now includes advanced protection against email bombing attacks, automatically detecting and blocking these malicious campaigns to safeguard organizational inboxes. The cloud-based security solution, previously known as Office 365 Advanced Threat Protection, is designed to combat sophisticated threats targeting email communications and collaboration tools.
In a recent update, Microsoft announced the rollout of its new ‘Mail Bombing’ detection feature, which identifies and mitigates large-scale email floods aimed at overwhelming systems or hiding critical messages. This capability is now active by default, requiring no manual setup, and diverts suspicious emails directly to the Junk folder. The feature began its phased release in late June 2025 and is expected to be fully deployed by the end of July.
Security teams can monitor these threats through Threat Explorer, the Email entity page, and Advanced Hunting, where mail bombing incidents are flagged as a distinct detection type. The automated response helps organizations maintain visibility into genuine security risks while reducing noise from coordinated spam attacks.
Email bombing has emerged as a favored tactic among cybercriminals, particularly ransomware groups like BlackBasta, 3AM, and FIN7 affiliates. Attackers inundate targets with thousands of messages in minutes—either by exploiting newsletter subscriptions or leveraging specialized spam services. The chaos created by these floods often serves as a smokescreen for follow-up social engineering schemes, such as fraudulent IT support calls urging victims to grant remote access. Once inside, threat actors deploy malware, move laterally across networks, and ultimately execute ransomware attacks.
By integrating this defense mechanism, Microsoft aims to disrupt these campaigns early, preventing attackers from exploiting overwhelmed employees or bypassing security measures. The move reflects the growing need for proactive email security as cybercriminals refine their tactics to evade traditional filters.
(Source: BLEEPINGCOMPUTER)
