Microsoft Defender for Office 365 to Block Email Bombing Attacks

Red Dog Security

2 min read
Microsoft Defender for Office 365 to Block Email Bombing Attacks

Microsoft has announced a major security update to its cloud-based protection platform, Defender for Office 365. The new feature will automatically detect and block email bombing attacks, a growing tactic used by threat actors to overwhelm inboxes and obscure real threats.

What Is Defender for Office 365?

Formerly known as Office 365 Advanced Threat Protection (ATP), Microsoft Defender for Office 365 is designed to protect high-risk industries and enterprise organizations against advanced email- and collaboration-based threats. It defends against phishing, malware, ransomware, and now—email bombing.

The New Mail Bombing Feature

The Mail Bombing protection began rolling out in late June 2025 and will be fully deployed by the end of July. The feature is:

  • Enabled by default (no configuration required)
  • Designed to automatically detect and divert mass email attacks to the Junk folder
  • Fully integrated into Defender’s existing tools, including:
    • Threat Explorer
    • Email Page
    • Email Summary Dashboard
    • Advanced Hunting

In a blog post, Microsoft explained the rationale behind the feature:

“We’re introducing a new feature in Microsoft Defender for Office 365 to help protect your organization from the growing threat known as email bombing. This form of abuse floods inboxes with massive amounts of emails, burying critical messages and overwhelming systems. The new Mail Bombing feature automatically detects and blocks such attacks, helping security teams focus on real threats.”

How Email Bombing Works

Email bombing involves flooding a target’s inbox with thousands of emails, often within minutes. This can be accomplished by:

  • Subscribing the victim to hundreds or thousands of mailing lists
  • Using automated services or botnets to send bulk emails from multiple sources

Why Attackers Use It:

  • To bury alerts from security tools and hide real intrusions
  • To distract IT and security teams, reducing response efficiency
  • To enable follow-up social engineering attacks

For example, the BlackBasta ransomware group reportedly used email bombing before launching vishing attacks—where attackers posed as IT support over the phone, convincing employees to install remote access tools like AnyDesk or Windows Quick Assist.

Other ransomware groups, including 3AM and FIN7-linked actors, have also adopted this method as part of multi-stage intrusion campaigns.

Why This Matters

Email bombing isn't just an annoyance—it’s a disruption tactic with serious implications. By flooding inboxes, attackers can:

  • Conceal phishing emails or malware
  • Distract or disable automated threat detection
  • Overwhelm SOC (Security Operations Center) personnel
  • Set the stage for credential theft, remote access attacks, or ransomware deployment

Microsoft’s proactive approach ensures organizations can automatically neutralize this tactic, improving visibility into genuine threats and reducing alert fatigue.

Key Takeaway

Microsoft’s Mail Bombing protection closes a critical gap in modern email defense strategies. With zero setup required, organizations using Defender for Office 365 can immediately benefit from improved protection against mass-mailing campaigns designed to mask more serious cyberattack

Read more