ATTACK-T1667Active

Email Bombing

Statement

Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.(Citation: sophos-bombing)(Citation: krebs-email-bombing)

An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.(Citation: krebs-email-bombing)(Citation: hhs-email-bombing)

By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.(Citation: hhs-email-bombing) This behavior can also be used as a tool of harassment.(Citation: krebs-email-bombing)

This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft(Citation: sophos-bombing), or engage in other malicious activity.(Citation: rapid7-email-bombing)

Location

Tactic: Impact

Technique Details

Identifier: ATTACK-T1667
ATT&CK Page: View on MITRE

Tactics

Impact

Platforms

LinuxOffice SuiteWindowsmacOS

Detection

Detection Strategy for Email Bombing

Mitigations

User Training: User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

Include cybersecurity training as part of the onboarding process for new employees.
Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

Update training materials to include emerging threats and techniques used by adversaries.
Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
Discuss how specific employee actions can prevent or mitigate such attacks.

Software Configuration: Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

Review the software documentation to identify recommended security configurations.
Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

Restrict access to sensitive features or data within the software.
Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

Perform configuration changes in a staging environment before applying them in production.
Conduct regular audits to ensure that settings remain aligned with security policies.

Tools for Implementation

Configuration Management Tools:

Ansible: Automates configuration changes across multiple applications and environments.
Chef: Ensures consistent application settings through code-based configuration management.
Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

CIS-CAT: Provides benchmarks and audits for secure software configurations.
Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

Splunk: Aggregates and analyzes application logs to detect suspicious activity.

No cross-framework mappings available

← Back to Impact

Statement

Create Comprehensive Training Programs:

Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

Include cybersecurity training as part of the onboarding process for new employees.
Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

Update training materials to include emerging threats and techniques used by adversaries.
Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
Discuss how specific employee actions can prevent or mitigate such attacks.

Conduct a Security Review of Application Settings:

Review the software documentation to identify recommended security configurations.
Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

Restrict access to sensitive features or data within the software.
Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

Perform configuration changes in a staging environment before applying them in production.
Conduct regular audits to ensure that settings remain aligned with security policies.

Tools for Implementation

Configuration Management Tools:

Ansible: Automates configuration changes across multiple applications and environments.
Chef: Ensures consistent application settings through code-based configuration management.
Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

CIS-CAT: Provides benchmarks and audits for secure software configurations.
Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Email Bombing

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Email Bombing

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0