Email Bombing Used as a Distraction During Account Compromise
A finance employee's inbox was flooded with thousands of newsletter subscriptions while their credentials were being used to access financial systems. The timing was not a coincidence.
Background
The helpdesk received a call from a finance department employee reporting that their inbox was "exploding." Thousands of newsletter confirmation and subscription emails were arriving continuously. They couldn't see their real emails through the noise and couldn't work. They asked for help managing the inbox.
This was escalated to the SOC, not for the email volume itself, but because of a pattern that had been documented in threat intelligence: email bombing is used by attackers to bury MFA notification emails and financial transaction confirmations, making it harder for the victim to notice the real activity happening in parallel.
The Attack Timeline
Reviewing the authentication logs while the inbox issue was still being managed revealed the following sequence:
- An attacker had obtained the employee's credentials (method unknown at this point)
- A login was attempted from a foreign IP address and triggered an MFA push notification
- The email bombing began within seconds of the MFA push, flooding the inbox
- A second MFA push was sent as a phone call prompt (legacy MFA fallback), which the employee answered and approved, thinking it was part of the inbox issue resolution process
- The attacker's session was authenticated
- Access to the company's financial management portal occurred over the next 23 minutes
The email bombing was not random or coincidental. It was timed to prevent the employee from seeing the MFA push notification email in their inbox, then create enough confusion that a follow-up MFA voice call didn't feel suspicious.
Investigation
Once the authentication logs were reviewed, the sequence was clear. The financial portal session logs showed the attacker had browsed to the vendor payment configuration section and reviewed three pending outgoing wire transfers. No changes were made during the 23-minute session. The session was terminated when the attacker's IP was flagged by the network monitoring tool and the session was force-expired.
It was later established that the credentials had likely been obtained via a credential stuffing attack: the employee had used the same password on a third-party site that had been breached. A dark web monitoring tool confirmed the credentials appeared in a breach dataset from 18 months earlier.
The employee had no knowledge that their credentials had been compromised prior to this incident.
What Was at Risk
The financial portal contained active wire transfer instructions totalling a significant amount. Had the attacker modified the destination account details on a pending transfer, the fraud could have gone undetected until the transfer cleared. The 23-minute session was enough time to do it.
Remediation
The employee's credentials were reset immediately. The legacy voice call MFA fallback was removed from their account. The finance department's MFA configuration was reviewed and all legacy fallback options were disabled across the group. A process review was initiated to add a second approval step (from a separate individual) to all outgoing wire transfers above a threshold value.
A detection rule was added for email volume anomalies on finance accounts occurring concurrently with foreign authentication attempts. A staff communication was sent to finance explaining the email bombing distraction technique without identifying the affected individual.
Outcome
No financial loss occurred. The attacker viewed but did not modify transfer instructions. The incident drove meaningful security improvements: legacy MFA fallback removal, dual-approval controls for wire transfers, and a new detection rule linking email bombing volume spikes to concurrent authentication events on the same account.