Email bombs: what they are and what to do about them

This week, one of our legal clients brought to our attention that she received an email, warning her that someone had logged into her Crunchroll account on a new device. However, she didn't have a Crunchyroll account.

At first glance, this looked like yet another account-creation scam — the kind where a random account signup tries to trick you into clicking “verify” or “reset password.” But this one came with a twist: within minutes, other staff members at the same firm started receiving similar “account confirmation” emails from entirely unrelated services.

What’s Really Going On

This turned out to be a textbook case of mail bombing — a tactic where attackers flood a target’s inbox with dozens or even hundreds of legitimate-looking sign-up confirmations or newsletters.

The goal isn’t just to annoy. It’s to bury the real signal in all that noise. Things like:

• a legitimate password-reset email from your bank,
• an alert from your Microsoft 365 account, or
• a security verification message.

By overwhelming the mailbox, the attacker hopes you’ll miss the one message that matters.

It’s the digital equivalent of setting off fireworks outside someone’s window while sneaking past the door.

Why It Didn’t Work

Because this client’s Microsoft 365 environment is secured and monitored through Qore.IT, we were able to verify that:

• there were no logins from outside the firm’s normal IP range, and
• their accounts were protected behind multi-factor authentication and conditional access policies.

So while the attacker was busy signing up for anime streaming sites from Scotland, none of the firm’s actual accounts were ever at risk.

How We Closed It Out

Once we confirmed that no compromise occurred, we replied:

What you and others experienced today is called mail bombing, a technique threat actors use to flood a target's mailbox to obfuscate "important e-mails like account sign-in attempts, updates to contact information, financial transaction details, or online order confirmations": https://www.hhs.gov/sites/default/files/email-bombing-sector-alert-tlpclear.pdf (see: "Registration Bombs" in that PDF.)That is, someone is trying to get into a service associated with your email address, like a bank account, and they're trying to hide the password reset email from that service. Little do they know that they wouldn't be able to access the password reset email anyway because we've secured the firm's Microsoft 365 tenant. But, just to make sure, I searched the sign-in logs for your account and found no logins from addresses other than the office's Comcast IP address.

The Takeaway

If you ever receive a flurry of “new account” or “subscription” confirmations for sites you’ve never used, don’t panic and don’t click anything.
Instead:

• Report it to your IT team immediately.
• Let them verify whether your real accounts (banking, email, etc.) show any suspicious activity.
• Keep multi-factor authentication enabled — it stops most attacks cold.