Mailbombing Attacks

There is a current mail-bomb cyberattack underway on multiple businesses, large and small. Users are being targeted with large numbers of emails from legitimate sites they may never have ever visited, asking them to confirm subscriptions to sites and services, reset their passwords or download files.

This is a distraction attack. The intent is to install malware on user devices via a zip file downloaded from a script. The emails may be followed by a Teams message or phone call from 'Microsoft support' or 'IT support'. The imposter persuades the user to install Anydesk and uses this to install malware on the user's device.

This attack has been confirmed by Mimecast and Crowdstrike. It can be blocked by blocking installations of Anydesk, tightening email rules on Defender or your email gateway, or creating filter rules that detect words such as "welcome", "subscribe', "subscription" or "password". Also, blacklisting the Anydesk site for your users will help.

Alongside these measures and alerting your users we would recommend using Deep Instinct, which detects and stops any attempt to install malware, including from scripts and zip files and even zero-days, in less than 20ms.