Prevent email bomb attacks - the DDoS of email

Email bombs disable mailboxes and provide cover for machine and account takeovers. Sublime can prevent them from ever reaching an inbox.

See Sublime in action

Our previous solution delivered a well-crafted phishing email to our technology team, but Sublime identified it as malicious immediately. That was our first 'oh yeah, Sublime is way better' moment.

Email bomb protection
Patrick Lafleur
Director of Information Security & Privacy, Maple

Email bombs in a nutshell

Email bomb protection

Email bombs are the DDoS of email. They occur when an adversary uses an avalanche of email to overwhelm a mailbox, disrupt service, evade security, or more.

The barrage of messages in an email bomb creates a smokescreen of non-malicious messages to obscure the malicious intent or payload.

The sheer volume of an email bomb makes it difficult for security solutions to address each message individually.

Email bomb endgames

Adversaries can send email bomb attacks for a variety of reasons.

Disable mailboxes

Attackers can use email bombs to disable a target mailbox or make it otherwise unusable due to the volume of messages.

Machine takeover

Attackers will initiate an email bomb, call the target as “tech support” to “fix” the bomb, and then get the target to install a remote access tool.

Account takeovers

Attackers will initiate a password reset, use a bomb to hide the legit reset email, and then send a fake reset email that phishes credentials.

Email bomb prevention with Sublime

Sublime uses machine learning, message grouping, and bidirectional processing to detect and prevent email bombs and save teams time.

01

Email bomb detection

Sublime builds patterns of email volume and behavior for each mailbox at an organization. Once an email bomb spike reaches a mailbox-specific threshold, all the messages in the bomb are grouped and auto-remediated.

02

Auto-remediation & fast triage

Sublime auto-remediates messages in an email bomb and provides an intuitive interface for quickly triaging any outliers. Our interface includes in-depth details about the email bomb so security teams can move quickly and precisely.

03

Email bomb overview

Security teams get a view of historical and ongoing email bombs, their status, and other important information.

04

Automated handling

For teams that want to go further, they can view and modify the Automation logic used to catch email bombs.

See how Sublime stops email bombs

Experience how our email security platform prevents email bombs.

Select all applicable use cases
Thank you!

Thank you for reaching out.  A team member will get back to you shortly.

Oops! Something went wrong while submitting the form.

Latest from Sublime

The latest news, research, attack spotlights, and product updates.

November 3, 2025
Attack spotlight

ICS phishing: Stopping a surge of malicious calendar invites

Ahry Jeon
Product Manager
Brandon Murphy
Detection
October 23, 2025
Attack spotlight

Direct Send abuse on Microsoft 365: Just another failed authentication

Peter Djordjevic
Detection
October 16, 2025
Attack spotlight

Facebook credential phishing with job scams impersonating well-known companies

Bryan Campbell
Detection
See all blog posts

Frequently asked questions

What is an email bomb?
Email bombs are the DDoS of email in which a bad actor sends an avalanche of email to a mailbox to overwhelm, disrupt, evade security, or more.
Why are email bombs effective attacks?
An email bomb is full of “smokescreen” emails that are often legitimate mail that could be wanted in some contexts (if not during an attack), so that there are too many emails being sent at once for them to be addressed individually.
How can email bombs disable mailboxes?
An attacker can use an email bomb to disable a target mailbox or make it otherwise unusable due to the volume of messages.
How can email bombs be used for machine takeovers?
An attacker can send an email bomb and then call the victim pretending to be the IT department looking into the attack. They’ll ask the user to install remote access tools so that the attacker can “fix” the user’s disrupted email. The attacker now has access to the victim’s computer.
How can email bombs be used for account takeovers?
After successfully changing a user’s password to an external service, the attacker sends an email bomb at the same time as the password reset notification. The legitimate message about the password reset is then lost in the deluge, leaving the user unaware of the compromise.

Now is the time.

See how Sublime delivers autonomous protection by default, with control on demand.

Get started
Get a demo
Resources
BlogEvents
Community slack
Resource center
EML Analyzer
Sublime Core Feed
API reference
Documentation
Security at SublimeICS Phishing Playbook
©2025 Sublime Security, Inc.
TermsPrivacySecurityDisclosurePrivacy choices