← Back to SOC feed Coverage →

Email bombing attacks

kql MEDIUM Azure-Sentinel
EmailEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-10T23:00:00Z · Confidence: medium

Hunt Hypothesis

Email bombing attacks involve adversaries sending a large volume of emails to a single recipient to overwhelm their inbox and potentially disrupt their ability to receive legitimate communications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential disruptions to user productivity and security posture.

KQL Query

// Find mail that is older than 4 hrs and establish if it is a reply/forward or not. Join that to recent mail where the User hadn't communicated previously. These are new first contact messages.
let Contact_Established = EmailEvents 
| where Timestamp <= ago(4hr)
| where DeliveryLocation != "Quarantine"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
| extend NewMsg = case(Subject startswith "RE:", false, Subject startswith "FW:", false, true )
| where NewMsg == false
| project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress);
// Find new mail in the last 4hrs.
EmailEvents
| where Timestamp > ago(4hr)
and DeliveryAction == "Delivered"
| extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
| where Pair !in (Contact_Established)
| summarize 5_Min_Count = dcount(NetworkMessageId) by RecipientEmailAddress, bin(Timestamp, 5m)
| where 5_Min_Count > 5 // check if recipient has received more than 5 first contact emails in 5 mins

Analytic Rule Definition

id: 8d6ecda2-1cc1-49f8-a208-de0e5b42a61b
name: Email bombing attacks
description: |
  This query helps reviewing recipients who are potentially victim of email bombing attacks
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - Initial access
query: |
  // Find mail that is older than 4 hrs and establish if it is a reply/forward or not. Join that to recent mail where the User hadn't communicated previously. These are new first contact messages.
  let Contact_Established = EmailEvents 
  | where Timestamp <= ago(4hr)
  | where DeliveryLocation != "Quarantine"
  and EmailDirection == "Inbound"
  and OrgLevelAction != "Block"
  and UserLevelAction != "Block"
  | extend NewMsg = case(Subject startswith "RE:", false, Subject startswith "FW:", false, true )
  | where NewMsg == false
  | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress);
  // Find new mail in the last 4hrs.
  EmailEvents
  | where Timestamp > ago(4hr)
  and DeliveryAction == "Delivered"
  | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress)
  | where Pair !in (Contact_Established)
  | summarize 5_Min_Count = dcount(NetworkMessageId) by RecipientEmailAddress, bin(Timestamp, 5m)
  | where 5_Min_Count > 5 // check if recipient has received more than 5 first contact emails in 5 mins

Required Data Sources

Sentinel TableNotes
EmailEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Hunting/Email bombing.yaml