O365 user woke up to 800 inbound spam emails

[-]

Izbegaya@reddit

Probably not spam but rather registration confirmations. It is the way of hiding email from credit card regarding suspicious transaction. Can't recall the term for this attack.

Reply

[-]

Izbegaya@reddit

found it, [email bomb](https://en.wikipedia.org/wiki/Email_bomb)

Reply

[-]

Personally I don’t care for that term. It makes it sounds like the email is the threat. When really it’s an obfuscation technique. “Email bomb decoy” or “Email smoke bomb” make more sense to get the nature of the issue across. But that’s just me.

Reply

[-]

EducationalIron@reddit

Cluster Spam Decoy

Reply

[-]

rswwalker@reddit

Email misdirection

Reply

[-]

sitesurfer253@reddit

Slight of Spam

Reply

[-]

Geminii27@reddit

Spamvalanche

Reply

[-]

bjc1960@reddit

Yes Using ExchangeOnline rules, I block any inbound mail from gmail, or AOL, with the following words below. This did however send a marketing applicant's mail into quarantine.  * SEO * audit * website traffic * google result * google results * website audit * We can place your website * Google first page * S.E.O. * Drawings for Estimate * Quote To Bid * Bid Estimate * Need a Quote * cost estimating and architectural services * Quote For Construction Projects * cost estimating services * Plans Estimation * construction estimating and takeoff services * project for estimating for us * Quote For Estimate * Let me know if you have any questions or send me the plans to use our services * Define Estimating * I'm following up on my previous email * Do you need any estimation or takeoff services for your project * Website Proposal * estimating services * Bid estimating * Estimation Project

Reply

[-]

Sarduci@reddit

Yes, usually it’s to hide some kind of email notification somewhere in that mess that something happened like a password reset was performed for an external account or a money transfer happened from a bank. They count on you not going through 800 emails and just hitting delete. Source: Managed Security Services provider. See this all the time.

Reply

[-]

ericvader8@reddit

What's your preferred method to detect the one email in question? Honest question in case we ever see this. Thanks!

Reply

[-]

Sarduci@reddit

A junior security consultant who goes through each email one at a time to find the one. A list of email domains from key partners and vendors that they clients works with. A highly tuned anti-spam filter.

Reply

[-]

NoodlezTheZombie@reddit

There was a restaurant a few years back in my home town that had this happen. In the course of 24hrs they had 20,000+ emails. They caught the e-transfer because they never do those so the bank gave them a heads up. But unfortunately had to wait until the emails died down on their own.

Reply

[-]

sitesurfer253@reddit

As everyone else is saying. This. My old boss had the company Verizon account hacked and they sent like 20 $800 phones to random addresses around the US. He had been connected to a man in the middle wifi device at a coffee shop and they captured his login for luckily only that one portal.

Reply

[-]

arwinda@reddit

Was there no warning that certificates don't match, or other warnings? Did the old boss just ignore all of this?

Reply

[-]

jackalsclaw@reddit

Set up a fake website, and redirected the traffic to it with a dirty DNS server.

Reply

[-]

danielv123@reddit

That still requires you to change domain/use http/get invalid certificate, no?

Reply

[-]

what-the-puck@reddit

Yes

Reply

[-]

SilentLennie@reddit

Yes, but sort of... no, see my other comment.

Reply

[-]

what-the-puck@reddit

Everyone uses HSTS now. So unless the boss who was compromised cleared their browser configuration, or used a browser from 5 years ago, they wouldn't be able to use HTTP.

Reply

[-]

SilentLennie@reddit

Maybe opened a private window ? I don't know, this is usually what is done/happens.

Reply

[-]

SilentLennie@reddit

Well, it's an old trick (Black Hat DC 2009): https://youtu.be/MFol6IMbZ7Y?t=1403 This helps a bit: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security And this solves it: https://support.mozilla.org/en-US/kb/https-only-prefs#w_enabledisable-https-only-mode

Reply

[-]

Kelsier25@reddit

Yep - I bet it's this. Seen it multiple times now. Every time had luck just searching for words like "order", "receipt", "transaction", "invoice". The last one was a Walmart transaction where someone tried to order airpods with the compromised account. I've worried about emails continuing, but every time so far they've stopped after we recovered access to the compromised account (and nothing more came from all of the newsletter sign-ups).

Reply

[-]

urielsalis@reddit

Happened to me. Fun thing is that all of the domain registration emails in AWS came after the spam emails and I noticed immediately lol

Reply

[-]

CaterpillarStrange77@reddit

This will be it. They try to flood the mailbox with useless emails. It has been breached.

Reply

[-]

Polar_Ted@reddit

We had exactly that happen a few weeks ago.. Hiding in the spam was an email for a line of credit being opened. Someone had stolen their identity.

Reply

[-]

dotbat@reddit

I've seen this as well, to cover up a wire transfer.

Reply

[-]

viking_cat@reddit

This happened to me personally. Received thousands of messages over the course of about 6 hours. They were doing it to cover up some malicious activity which was thankfully detected.

Reply

[-]

coolbeaner12@reddit

This. I have seen this happen, and it is not a pretty sight.

Reply

[-]

JudgeCastle@reddit

Our inbound branded emails were being hit with a hundred or so a day. All with specific things I could block, especially ones with (.)htm files in them. Malware filter handled those. We still get the odd one to slip through. I’d still have them change their password, even if there wasn’t a compromise.

Reply

[-]

cantuse@reddit

Don't know how you are doing your mail filtering, but if its O365, I ran into the occasionally html attachment getting through. Turns out, that if the attachment has a trailing period, (aka the file is totallylegit.htm. ), then this seems to bypass the HTML filters. If you transport rule for blocking HTML is based on the extension type, then this seems to bypass it. You can verify this type of attack was performed by downloading the message with the bad attachment in EML format and looking at the extension in the mime-descriptors, you'll see the trailing period there. You have to change the transport rule to using a regex and use expressions like \.htm, \.html, \.htm\., and \.html\. to catch them. Ever since I started doing this for clients that use similar transport rules, this has worked much more effectively. Reference thread from when I looked into this some time ago: https://old.reddit.com/r/sysadmin/comments/r845tj/is_there_a_method_of_mail_delivery_that_bypasses/

Reply

[-]

JudgeCastle@reddit

It has been mostly successful with random incidents. I will be adding these as we almost never get any that are legit. Thank you for the heads up. Solid data.

Reply

[-]

cantuse@reddit

Noticed that Reddit removed my backslashes. The regex format would be \\.htm, \\.html, \\.htm\\. and \\.html\\.

Reply

[-]

pockypimp@reddit

I had a user at my last job who was out on medical LOA. We got a report that his account was being restricted due to spam. We go into the admin center and sure enough it looks like he's been phished. It took a couple of days but the user called me and gave me his current password and I told him what his new password would be when I was done. I went into his mailbox to clear any rules that the intruder made. There were over 3K new emails all from bounceback replies of non-existent email addresses. I deleted all of those for him.

Reply

[-]

Strict_Repeat4278@reddit

Does nobody have proper email filtering to prevent email bombing? Atleast rate limiting the domain?

Reply

[-]

dirkrob@reddit

We use SpamTitan and it just works and works

Reply

[-]

bloodguard@reddit

Do they have any ongoing beefs with someone? Or someone that might prank them? I remember there used to be a page that you could just input an email and they'd start receiving all manner of spam. Even had check boxes for what kind (G rated, PG-13, X rated, and holy crap that's disgusting). Used to use it on dummy mailboxes to train/test spam filters.

Reply

[-]

NoLongerGage@reddit

Simple fix. Have them go back to sleep.

Reply

[-]

RoaringRiley@reddit

Modern problems require modern solutions.

Reply

[-]

jeffrey_f@reddit

Ask the user if they have put their email into a form on the internet in the past weeks or months.

Reply

[-]

Vivid_Mongoose_8964@reddit (OP)

they havent, theyre actually one of my most cautious users.

Reply

[-]

sitesurfer253@reddit

Any public Wi-Fi connections? If so, did they log into any accounts while there? Coffee shop, airport, etc.

Reply

[-]

alpha417@reddit

That means you're not fully aware of what they do

Reply

[-]

Vivid_Mongoose_8964@reddit (OP)

so you monitor every user key stroke? did you perhaps think someone else mail bomb'd? them? are you always this dumb or just on sundays?

Reply

[-]

LDForget@reddit

Sundays are double time dumb.

Reply

[-]

Cold417@reddit

Sundays get the freemium IQ.

Reply

[-]

jeffrey_f@reddit

It only takes 1 time.

Reply

[-]

IntellDay13@reddit

Probably pissed someone off.

Reply

[-]

jeffrey_f@reddit

I've seen that happen with someone's personal email. The flood was horrible. But turning on spam protection pushed almost all the spam to the junk folder.

Reply

[-]

bcredeur97@reddit

Once knew someone who got signed up for thousands of newsletters at once. He awoke to like 80,000 unread emails And they just kept on pouring in. I have no idea what horrid service or something let’s someone do this to someone, and I still have no idea how to actually properly fix that situation other than getting a new email address lol. But that was pretty crazy

Reply

[-]

PlatimaZero@reddit

We had this happen to a customer when one of their staff was let go, and out of 'revenge' submitted their email address to tonnes of online forms

Reply

[-]

joeyl5@reddit

that used to be a problem years ago but now most legit forums ask you to confirm the email before emailing regularly. The staff would have to register to a lot of forums for it to be an annoyance

Reply

[-]

PlatimaZero@reddit

Nah this was about a year ago. There are still HEAPS that don't require confirmation unfortunately, but even then if they did it on their last day whilst said 'victim' was on a toilet break, easy email confirmations. 10/10 dick move

Reply

[-]

marklein@reddit

There used to be services to do this for you even (I suppose there still is, in the dark side of the internet). They had lists of poorly secured website forms that would generate emails and they'd submit to them all for you.

Reply

[-]

recourse7@reddit

Shot in my youth I did plenty of email bombs thru unsecured relays.

Reply

[-]

PlatimaZero@reddit

Yeah that spam industry is apparently pretty bloody big 😑

Reply

[-]

ranhalt@reddit

Sounds like you have shitty email filtering.

Reply

[-]

NightOfTheLivingHam@reddit

have them change their passwords for any accounts linked to that email

Reply

[-]

jred2828@reddit

Yep, def as others are saying. It’s to obscure a password reset email or some sort of notification . I’ve seen it a lot with Verizon accounts. They change the shipping address and then order phones.

Reply

[-]

MakeItJumboFrames@reddit

We've had this happen before. The users targeted by a service(s) where they are signed up for a bunch of different lists and their mailbox gets spammed with tons of spam. Those affected when asked have said it was probably done by someone they were working with who was being petty.

Reply

[-]

GhostDan@reddit

Could have pissed someone off. Plenty of websites you can sign people up for spam mailing lists. Post the email in clear text online. Could be a few things.

Reply

[-]