Defusing Email Bomb Attacks with Material Security

Email bombs are making a comeback. Whether harassing the victims, obfuscating other attacks, or setting up social engineering attacks, the tactic has become increasingly prevalent – and it’s just as difficult to detect and remediate today as it was back when Discmans were still a thing.

Material Security detects and automatically remediates these attacks, thanks to the platform’s deep historical mailbox context, advanced analytical capabilities, and unique ability to move and reclassify emails post-delivery.

Introduction

Everybody loves the classics: that song you used to listen to every morning on your way to high school. That pair of jeans that’ve gone in and out of style twice since you bought them. That email attack technique from thirty years ago that’s incredibly disruptive and difficult to prevent even with today’s email security tools…

Ok, maybe not that last one.

Email bombs (variously referred to as email flooding, spam bombing, or registration bombing) date back at least to the 1990s. They flood the target’s inbox with hundreds or even thousands of unwanted messages, with the goal to obfuscate another attack, to set the user up for a fraudulent follow-up social engineering attempt, or simply to harass the victim and render the inbox useless. 

Traditional email security tools and even spam filters struggle with these attacks, because for the most part, the emails are by themselves legitimate. They’re signups for newsletters, services, free trials: they’re only attacks in aggregate form.

When Material began seeing increasing variations of this in the wild, our engineers realized our infrastructure was perfectly positioned to address this threat: our API connection to mailboxes provides us with the historical context and control over mailbox behavior to not only detect these attacks when they occur, but remediate them as well. 

So how’d we get here, and much more importantly: how do you deal with it?

Background: the email bomb threat

There are quite a few variations of email bombs, but they all involve hitting an inbox with hundreds or thousands of messages in a very short time. A scalable approach involves using botnets to register the target email account for a variety of online services (newsletters, subscriptions, and so on), leading to a deluge of account verification, confirmation, and welcome emails.

As noted above, this tactic is not new–the first reported case of these types of attack is from almost thirty years ago. But in the last twelve months or so, we’ve seen a dramatic uptick in their prevalence and frequency–along with some nasty variations and evolutions.

The goals of these attacks vary, but they boil down to three basic objectives:

• Obfuscation - Attacks use email bombs as a means to prevent victims from noticing alerts of other more-damaging attack techniques being employed. For example, an email from your credit card provider calling out an unusual transaction is something most people will usually notice… but if that email is buried within a thousand other emails, the chances the user will see the one meaningful one drops significantly.
• Setup for Social Engineering Attack - Some campaigns have followed up email bomb attacks with a vishing attack–a phone call from a fraudulent “IT help desk” saying that they noticed the attack, and offering to help the victim remedy it. Once the victim allows remote access to their computer, the adversary may deploy Black Basta or other malware or ransomware.
• Harassment - Some attacks have sought to do nothing but disrupt the victim’s ability to use their inbox, from public figures to government accounts to cybersecurity reporters.

A customer receiving a targeted harassment campaign led Material to initially begin developing our solution to email bombs. One of our customers’ high-visibility employees were having their inboxes effectively shut down periodically with high volumes of messages designed to do nothing but harass, intimidate, and render their inboxes useless.

As we began developing a response, we looked for other evidence of email floods across our customer base, and found evidence of Storm 1811 , Black Basta, and similar threat actors and attacks. This reinforced the need for robust and flexible protection for all types of email flooding, and convinced us we were on the right path.

Bomb sniffing: detecting the undetectable

Traditional email security tools rarely catch these attacks, as email bombs often make use of perfectly legitimate services. They don’t come from domains of known bad actors, they don’t contain malicious payloads or links and, except for cases of harassment, the language in the emails themselves is perfectly benign. Individually, few if any of the emails within an email bomb would trigger any sort of email security tool. 

Material’s unique approach to email and data security, however, includes syncing and analyzing each enrolled account’s full email history…which includes incoming email volume. This access gives us an interesting way to detect these attacks: by capturing anomalous volumes of incoming email.

Building historical models

We created a historical model of each mailbox’s typical email volume. Early in our development, we realized that what looks like an email bomb for an intern’s mailbox is just another Tuesday for the CEO. 

Based on the email arrival times in the mailbox, we calculated the average emails received per hour, as well as maximum limits, variance, and standard deviation of the distribution. This gives us our baseline against which we can compare potential attacks.

Surge detection logic

Our historical baseline gives us a reliable way to determine significantly anomalous incoming email volume that qualifies as an attack. We took a simple yet powerful approach of comparing the live email arrival rate against this historical baseline, computing the z-score, and escalating when that score was above a particular threshold (which can be adjusted on a per-customer basis as needed), with the threshold set at a certain z-score, or standard deviations above the historical rate of incoming emails. 

We found this approach best suited to the wide variation between inboxes, preventing false alarms for naturally busy accounts, while still catching spikes in quieter inboxes.

If we counted every incoming email, we could raise an alarm for normal communications. To avoid these cases, the platform takes trusted entities and communications from within the organization into account when detecting attacks–both to accurately detect attack volume and to minimize the chances that legitimate (if noisy) communications are detected and remediated as part of the attack. 

Bomb disposal: remediating attacks

Detection is obviously a critical first step, but it’s not like the victims need to be told they’re under attack. Remediation is critical–and this is where Material’s unique capabilities to easily move and reclassify emails after delivery give us superpowers.

When an attack is detected, the platform identifies when the attack started and begins an initial fast filtering. Thanks to Material’s ability to manipulate the mailbox, we’re able to filter emails that were already delivered before the detection was triggered in addition to subsequent incoming mail into a designated location (a dedicated label for Gmail, folder for Outlook). The platform's combination of threat research, organizational context, and machine learning removes the unwanted emails received since the beginning of the attack, leaving legitimate and trusted messages intact.

From the user’s perspective, when their account is opted in the protection, they may see the initial flood of notifications of emails hitting their inbox, but within a matter of seconds, they’ll see the notifications stop and they’ll see the attack emails disappear from their inbox, along with a new label or folder automatically created within their mailbox containing the flood. Material also enables the security team to configure automated emails to be sent to users at the start and end of the attack, notifying them that we’ve detected the surge.

It’s worth noting two things here: first, these emails are filtered into a separate folder/label to free up the inbox and mitigate the disruption caused by the attack. By default, detected messages aren’t deleted or destroyed–allowing users to retrieve legitimate emails from outside the organization and not from trusted entities that may have coincided with the attack. 

As with all of Material’s detections and remediations, this protection has very flexible and granular settings, including the ability for automated remediation to be disabled altogether. When combined with other remediation actions available, the attack response can be tailored to fit your security needs.

Conclusion

Email bombs aren’t new, but that doesn’t make them any less of a problem. Today’s email security market largely relies on little more than blocking inbound threats on a per-email basis–an approach that overlooks a huge chunk of the risks facing modern cloud workspace environments.

Material’s unique approach to email and cloud workspace security allows us to detect and remediate email bombs in seconds–with no effort on the part of the user or the security team–without deleting or losing legitimate emails caught up in the attack. 

If you’d like to see it in action, contact us for a demo today.

‍