Microsoft Defender for Office 365 to Block Email Bombing Attacks

Microsoft has announced a new security capability within its Defender for Office 365 suite aimed at combating the growing threat of email bombing attacks. 

The feature, officially labeled “Mail Bombing Detection,” will automatically identify and quarantine high-volume email flooding campaigns that attempt to overwhelm user inboxes or obscure legitimate messages. 

This technology enhancement will be deployed globally between late June and July 2025, providing organizations with improved protection against this increasingly common attack vector without requiring additional configuration from security teams.

Email Bombing Threats and Detection Mechanisms

Email bombing represents a sophisticated form of cybersecurity threat where attackers flood target mailboxes with extraordinarily high volumes of messages in short timeframes. 

These attacks serve dual malicious purposes: overwhelming email infrastructure and burying important legitimate communications beneath waves of junk content. 

Microsoft’s new detection technology employs advanced machine learning algorithms to identify patterns consistent with bombing campaigns, distinguishing them from normal high-volume legitimate email traffic such as newsletters or marketing communications.

The system works by analyzing message velocity, sender reputation metrics, and content similarity factors across the Microsoft 365 defender platform. 

When suspicious patterns emerge, the MailBombingDetection module triggers defensive protocols that automatically route identified messages to users’ Junk folders. 

Microsoft engineers have developed this system to respect existing Safe Sender configurations, ensuring that authorized high-volume senders remain unaffected by the new protection layer.

Security Operations teams will gain visibility into email bombing attacks through multiple interfaces within the Microsoft Defender portal. 

The new detection type will be prominently displayed in Threat Explorer (ThreatExplorer.Action == “MailBombing”), Email Entity View, and the Email Summary Panel. For organizations using programmatic security monitoring, the detections will also be accessible through Advanced Hunting queries using KQL (Kusto Query Language).

This integration ensures seamless incorporation into existing security workflows and reporting mechanisms, allowing organizations to maintain comprehensive visibility across their threat landscape.

The global rollout begins in late June 2025 with completion expected by late July 2025. As this feature activates automatically without requiring manual configuration, Microsoft recommends that organizations prepare by:

• Updating internal security documentation to reference the new detection capability.
• Reviewing Junk folder handling policies to ensure alignment with organizational requirements.
• Briefing Security Operations teams on expected dashboard changes and new detection visibility.

Organizations with compliance requirements should note that this feature modifies email classification and routing processes, introduces new machine learning capabilities, and may affect audit logging visibility for messages redirected to Junk folders.

Microsoft’s Mail Bombing Detection represents a significant enhancement to defender capabilities, addressing a specific attack vector that has grown increasingly prevalent in the evolving threat landscape.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.