Research from Darktrace discusses an email bombing attack observed in February 2025, in which a user received more than 150 emails in less than five minutes, sent from 107 unique domains. Each of these emails circumvented a Security Email Gateway (SEG).
Email bombing, also referred to as spam bombing, is a technique in which a malicious actor sends a large volume of emails to a user within a short timeframe. This tactic can disrupt operations and can open the door for later social engineering attacks.
J Stephen Kowski, Field CTO at SlashNext Email Security+, explains, “These attacks aren’t just about mail — they’re a clever way to flood inboxes with legitimate-looking emails, making it harder to spot the real threats hidden in the chaos. What’s tricky is that these messages are not spam and this is how they get past spam filters. The technique often involves signing victims up for services or newsletters en masse, creating a flood of authentic messages. The real challenge is detecting these behavioral anomalies rather than relying on content-based filters. Solutions that focus on identifying unusual patterns in email activity and rapid registration bursts are key to staying ahead of this evolving tactic. If you have a solution looking for traditional spam, it won’t capture these.”
In the observed email bombing attack, malicious actors sent a large volume of emails while engaging in social engineering tactics, such as voice phishing (vishing). According to the research, the intention appeared to be accessing the user’s network by leveraging administrative tools for malicious actions.
Since this technique often bypasses conventional email security measures, users must be vigilant and able to identify the threat. Chris Gray, Field CTO at Deepwatch, elaborates on the success of this tactic.
“These tactics align to the concept of ‘military deception’ and have been quoted by strategists for thousands of years. By inundating the recipient, and the teams/platforms that support them, with these emails, the attackers are simply relying upon common tendencies to get careless, bored, or overwhelmed,” Gray states. “Individual attacks receive attention; floods of attacks become just noise and get ignored. Our guard is dropped. Our attention span wanders. Decisions are made that would otherwise never be acceptable. The detectable even is submerged in the fog of war. The link gets clicked. The alert gets missed. The password gets shared. The end result is the statement that we’ve heard a thousand times: The defender has to win every time, but the attacker only has to win once.”
