Microsoft announced that its cloud-based email security tool, Defender for Office 365, will now be able to automatically detect and block attacks known as email bombing.
Defender for Office 365 (formerly known as Office 365 ATP) is designed to protect companies that work in sensitive sectors and are often targeted by cybercriminals who use emails, malicious links, and even collaboration tools to attack.
In a recent update to the Microsoft 365 message center, the company explained: “We are launching a new detection feature in Defender for Office 365 that will help protect organizations against an increasingly common threat: email bombing.”
This type of attack basically fills the inbox with hundreds or thousands of emails, either to hide important messages or simply to crash the system. With this new feature, called Mail Bombing Detection, the system will automatically identify and stop these attacks, allowing security teams to focus on real threats without the mailbox crashing..
New protection against spam and email bombing in Office 365 is automatically enabled
The new mail bombing feature began rolling out in late June 2025 and will reach all organizations by the end of July. Best of all, it comes enabled by default, so you don't need to configure anything. If you are detected as a victim of this type of attack, the emails will be automatically sent to the junk mail folder without you having to do anything manually.
As Microsoft explained this weekend, this new capability is already available to security analysts and administrators within tools such as Threat Explorer, the email entities view, the email summary dashboard, and also in Advanced Hunting, which allows for deeper analysis of threats.
How does this type of attack work?
Email bombing is a technique used by cybercriminals to flood your inbox with thousands of emails in a matter of minutes. They can do this by subscribing your email to hundreds of newsletters or using malicious services that automatically generate spam. The result: your inbox crashes, important messages get lost in the chaos, and email security systems are overwhelmed.
This method is not new. In fact, it has been used by ransomware and cybercrime groups for over a year. One well-known case is that of the Black Basta gang, which sent thousands of spam emails just before launching its attacks. They then called the victims directly, posing as the company's technical support, with the aim of deceiving them and convincing them to hand over control of their devices. They did this using tools such as AnyDesk or the Windows remote assistance feature.
Once they gained access, they deployed malware and other malicious tools to move around the corporate network. At the end of the process, they installed ransomware to lock the systems and demand payments in exchange for releasing the data.
More recently, this technique has also been seen in attacks carried out by the 3AM ransomware group and cybercriminals linked to FIN7, who also use email bombardment as part of their social engineering tactics. Their goal: to make confused and pressured workers hand over their remote access credentials, facilitating entry into the company's systems.
