In a case described by Darktrace, attackers used spam bombing as the setup for a remote-access social engineering attack.
The trick is simple: first create confusion, then present yourself as the person who can solve it.
What Happened
The attackers used the target’s email address to subscribe them to more than a hundred legitimate services.
Within minutes, the target received a flood of messages from real senders across multiple languages. Because the emails were technically legitimate confirmations, newsletters, and sign-up messages, they did not immediately look malicious in isolation.
That noise created the opening for the real attack. A supposed “helpful IT person” contacted the target and used the ongoing email flood as context to make the request for remote access seem credible.
The final step was the important one: the attacker convinced the user to grant access through Microsoft Quick Assist.
Why This Works
Spam bombing works because it combines two effects:
- the target becomes overloaded and more likely to make a rushed decision
- a follow-up support contact feels timely and believable
This is also why single-message detection is not enough. The problem is often the overall pattern, not one obviously malicious email.
How to Reduce the Risk
- Monitor for unusual email-volume spikes and other communication anomalies, not just suspicious individual messages.
- Share examples like this with staff so they know that a sudden flood of legitimate emails can itself be part of an attack.
- Treat unsolicited support outreach with caution, especially during an ongoing incident or confusing event.
- If someone claims to be helping with the issue, end the conversation and contact your internal IT or provider yourself through an official channel.
The most useful lesson here is straightforward: attackers do not always need to bypass technical controls directly. Sometimes they just need enough noise to make a bad request sound reasonable.