Imagine waking up to an inbox flooded with thousands of junk emails, all arriving at once. That’s an email bombing attack, and it’s not just annoying – it’s a tactic cybercriminals use to hide more dangerous threats. The good news? Microsoft Defender for Office 365 is now automatically detecting and stopping these floods, making your inbox safer without you having to lift a finger. This new feature is rolling out now, adding a crucial layer of protection against a growing threat.
Contents
Microsoft Defender for Office 365 is the company’s cloud-based security service designed to protect businesses from email threats like phishing, malware, and spam. Previously known as Office 365 Advanced Threat Protection (ATP), it’s widely used, especially by organizations facing advanced cyber threats.
Microsoft Defender for Office 365 protecting an email inbox
According to a recent message from Microsoft, a new “Mail Bombing” detection capability is being added to Defender for Office 365. This feature targets attacks that deliberately overwhelm mailboxes with a massive volume of emails to either bury legitimate, important messages or simply overload the email system itself.
The really user-friendly part is that this new detection is turned on by default. You don’t need to configure anything. Once activated for your account, any email identified as part of a mail bombing campaign will automatically be sent straight to your Junk folder, keeping your main inbox clear.
This feature started rolling out in late June 2025 and is expected to be available to all organizations using Defender for Office 365 by late July. Security teams within companies will also gain visibility into these detected attacks through tools like Threat Explorer and Advanced Hunting within the Defender platform.
Why Email Bombing is a Growing Problem
Email bombing isn’t just a nuisance; it’s often a calculated move in more sophisticated cyberattacks. By flooding an inbox with thousands of emails – sometimes tens of thousands within minutes – attackers create chaos. This deluge can make it incredibly difficult for recipients to spot a single, malicious email containing a phishing link or malware attachment.
Attackers often use this tactic as a smokescreen. They might send the email flood and then follow up with a phone call (known as voice phishing or ‘vishing’) or a message on a corporate chat platform like Microsoft Teams. Posing as IT support, they tell the overwhelmed employee that there’s a security issue with their account or computer and they need remote access to fix it. If successful, this grants the attacker entry to the company network.
Real-World Attacks Using Email Bombing
This isn’t just theoretical. Several prominent cybercrime and ransomware groups have been using email bombing for over a year.
For instance, the notorious BlackBasta ransomware gang was one of the first to heavily rely on this method. They would flood victim inboxes just before making vishing calls, posing as IT support to trick employees into using remote access tools like AnyDesk or Windows Quick Assist. Once they gained access, they could move through the network and eventually deploy ransomware.
More recently, other groups, including affiliates of the 3AM ransomware and cybercriminals linked to the FIN7 group, have also adopted similar tactics. They combine email bombing with spoofed IT support calls or messages, aiming to steal credentials or gain remote access to corporate systems.
By automatically identifying and quarantining these email bombs, Microsoft Defender for Office 365 aims to disrupt this common attack chain, making it harder for cybercriminals to hide their true intentions and reducing the chances of employees falling victim to subsequent social engineering attempts.
What This Means for You
For most users, this update means less junk mail and better protection against complex attacks without any effort on your part. For IT and security teams, it means a powerful new tool that automatically handles a specific type of attack, freeing up time to focus on other threats while maintaining visibility into malicious activity targeting their organization. This built-in defense simplifies security and strengthens your first line of defense – your email inbox.
Keeping up with the latest threats is crucial. You can learn more about how attackers are evolving by checking out related articles, such as how ‘Direct Send’ is abused for phishing, recent fixes for Outlook bugs causing crashes, or how trusted domains can be used in phishing attacks. Other recent Microsoft security updates include blocking file access via legacy authentication and ActiveX by default in Microsoft 365 and Office 2024.
