A new report out today from Darktrace Ltd. details how its artificial intelligence-powered platform detected and responded to a series of “spam bombing” attacks designed to overwhelm email systems and disguise more targeted infiltration attempts.
Spam bombing attacks, also known as “email spam bombs,” involve overwhelming a target’s inbox with a flood of unsolicited emails, typically by signing the victim up for hundreds or thousands of legitimate newsletters and subscription services. The emails received are often harmless, but the sheer volume of emails is designed to disrupt normal operations and conceal malicious messages, such as phishing attempts or malware-laced communications.
The spam bombing tactic makes it harder for users and traditional security tools to spot and respond to genuine threats buried within the noise, serving as a digital smokescreen of sorts for deeper intrusions like account takeovers or internal reconnaissance.
Darktrace responded to spam bombing attacks between February and March this year, which involved attackers signing up victims to numerous email newsletters and services, making it easier for attackers to hide phishing messages or exploit follow-up communication methods such as voice phishing and Microsoft Teams calls.
The spam bomb attacks saw the attackers attempting to infiltrate an organization’s network using tools such as Quick Assist, which, despite being typically used for legitimate administrative purposes, were exploited for malicious activities.
Darktrace’s AI-powered detection platform identified the campaigns by flagging anomalies in user behavior and email traffic patterns. The company’s EMAIL module assigned a 100% rarity score to the unusual influx of messages and identified misuse of email marketing tools like Mandrill, a Mailchimp extension, which attackers used to send customized phishing emails and gather recipient engagement data.
While flooding inboxes with unwanted emails may sound somewhat simplistic, the attackers in the campaigns were also found to employ layered social engineering tactics. Impersonating internal information technology staff, they engaged victims via Microsoft Teams calls and vishing in an attempt to gain trust and trick users into granting access or executing malicious tools.
In several cases, once initial contact was established, Darktrace detected the victim’s device performing internal reconnaissance via LDAP queries and SMB connection attempts, signs of a deeper network infiltration effort.
To contain the threat, Darktrace leveraged its Autonomous Response technology, which can restrict device activity based on its “pattern of life.” When unusual connections were detected, such as unauthorized port 445 activity, Autonomous Response triggered containment actions.
While a positive outcome, it’s noted that in environments configured for human confirmation, some attacker movements continued until manual intervention was approved, emphasizing a need for tuning automated defenses for timely threat mitigation.
Image: SiliconANGLE/Reve
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy
THANK YOU
