This article contains information on Email Bomb attacks, their tactics, and mitigation strategies using Mimecast features like Graymail filtering, Spam Scanning, Content Examination, and Geographical Restrictions. It also includes user education and account protection tips. This applies to Cloud Gateway Environments.
PAGE CONTENTS
- How to deal with Email Bombs
- What is an Email Bomb
- How are they doing this?
- What can you do to stop this?
How to deal with Email Bombs
What is an Email Bomb?
Email Bombs, otherwise known as Spam Bombs, “Form Attacks," “Registration spam," or “Subscription Spam," are a common threat actor tactic that bombards users with unsolicited, benign emails in an attempt to lower their security awareness. Users may receive thousands of emails in various languages for days as the attack starts. Threat actors will disrupt the user’s routine, overloading their victim and making it easy to miss important notifications such as 2FA messages or audit entries. In less common cases, threat actors will sneak in targeted malicious messages, hoping they are more apt to click on them due to the noise. More recently, victims of the Email Bomb attack have been receiving phone calls from the threat actors, acting as the company's IT team, initiating remote access with the victim, and/or potentially extorting them for money.
How are they doing this?
Threat actors commonly use bots to traverse the internet and automatically impersonate or spoof users, signing up for thousands of legitimate websites in minutes. Chosen websites often utilize proper DNS configurations, making detecting or stopping these attacks difficult. These websites typically do not have any form CAPTCHA or proper opt-in/opt-out (Graymail) practices to prevent bots from signing up. Email Bomb attacks often begin with standard “Welcome” messages during the initial days-long rush. They can follow up in perpetuity with news or bulletin messages from the legitimate site.
What can you do to stop this?
Though this mail is legitimate, multiple layers of Mimecast can be used to reduce the impact of these attacks on users, temporarily or permanently.
- Educate the user base. IT calls should only be coming/initiated via your company’s internal process.
- Consider your company's user permission levels, including the software they can use/launch. We suggest restricting the use of remote access software on user workstations.
- Ensure you are utilizing Mimecast’s Graymail filter and adjusting your Spam Scanning settings to Aggressive.
- Adjust/implement Content Examination policies.
- Adjust/implement Geographical Restrictions to lock inbound mail flow to come from specific countries.
- https://community.mimecast.com/s/article/email-security-cloud-gateway-configuring-geographical-restrictions
- Adjust/implement your Greylisting policy.
- Review your current gateway policy bypasses for freemail domains/IP addresses.
- Review your current DNS configurations and hygiene.
- While we don’t recommend it, in the most extreme cases, you may choose to disable/delete the user's account or hold/pause inbound mail flow for that user.
Comments
Please sign in to leave a comment.