March 31, 2025

Cybersecurity Tabletop Game - How to Stop an Email Bomb

The video above walks through a simulated email bomb attack scenario, demonstrating how IT professionals can respond to this increasingly common threat. Let's break down what we learned from this realistic cybersecurity tabletop game.

Understanding Email Bomb Attacks

Email bombing floods inboxes with thousands of messages in a short timeframe. In the simulation, we see finance team members receiving over 3,000 emails within 30 minutes, combined with suspicious Microsoft Teams calls from people claiming to be from the help desk.
This multi-vector approach is what makes modern attacks so dangerous:

  • The email flood overwhelms inboxes and distracts users
  • Fake help desk calls via Teams attempt to gain remote access
  • The combination creates confusion while attackers attempt to install remote access tools (like AnyDesk in the simulation)

Response Steps Demonstrated in the Simulation

The IT administrator in the video works through a methodical response process:

  • Initial information gathering: Speaking with affected users to understand the scope
  • Security tool investigation: Checking Sentinel One (EDR) for suspicious activity
  • Account protection: Resetting passwords and enforcing MFA through Okta
  • Machine isolation: Quarantining potentially compromised computers
  • Attack vector blocking: Identifying and blocking the malicious Teams caller
  • Business continuity: Providing emergency replacement machines for the finance team
  • Documentation: Creating a timeline and preserving logs

What Worked Well

Several effective practices were demonstrated in the simulation:

  • Rapid containment: The admin quickly isolated potential entry points
  • Cross-platform investigation: Checking multiple systems (Sentinel One, Okta, Microsoft 365, Teams, Proof Point)
  • Communication: Sending an all-staff notification via Teams rather than email (since email was compromised)
  • Alternative communication channels: Using Teams instead of email for company-wide alerts

Improvement Areas Identified

The cybersecurity tabletop game highlighted several opportunities for improvement:

  • Checking for broader impact: Not verifying if other employees received similar Teams calls
  • External access management: Not discussing disabling external Teams access
  • Deep security scanning: Not initiating deep scans on affected systems
  • Temporary communications: Not creating temporary email addresses for affected teams
  • Help desk authentication: Not implementing stronger methods for verifying IT staff identity

The simulation showed the admin scoring 74% - a solid response, but with room for improvement.

Email Bomb Attack Defense Checklist

Based on the simulation, here's a checklist for handling email bomb attacks:

Immediate Response (First 30 Minutes)

  • Gather information from affected users
  • Check security tools for suspicious activity
  • Reset passwords for potentially affected accounts
  • Enable or verify MFA for affected accounts
  • Quarantine potentially compromised machines
  • Block identified malicious communication channels
  • Send company-wide alerts through unaffected channels

Secondary Response (1-2 Hours)

  • Check for similar patterns affecting other employees
  • Consider temporarily disabling external access to communication platforms
  • Provide alternative work capabilities for affected teams
  • Initiate deep security scans on affected systems
  • Create temporary email addresses if needed
  • Document the incident timeline
  • Preserve all relevant logs before they roll over

Follow-up Actions (24-48 Hours)

  • Evaluate whether to completely wipe affected machines
  • Review and strengthen authentication protocols
  • Analyze patterns in the attack for future prevention
  • Conduct a post-incident review with security team
  • Update incident response procedures based on learnings

Why Tabletop Exercises Matter

The demonstration highlights why running cybersecurity tabletop games provides value:

  • Practical experience: Team members build response muscle memory without real risk
  • Gap identification: Organizations discover weaknesses before real attacks occur
  • Process improvement: Documentation and procedures can be refined based on results
  • Broader engagement: More employees can participate compared to traditional exercises

Preparing Your Own Team

To build similar capabilities within your organization:

  1. Start with realistic scenarios like the email bomb demonstrated in the video
  2. Include role-specific scenarios (IT staff, end users, executives)
  3. Keep exercises concise (the demo took under 15 minutes)
  4. Provide immediate feedback and improvement recommendations
  5. Track progress over time with repeat exercises

Final Thoughts

The cybersecurity tabletop game shown in the video reveals both the complexity of modern attacks and the need for structured, practiced responses. By running similar exercises, security teams can build the skills needed to protect their organizations when real attacks occur.

Email bombs will continue to be a popular attack vector, often serving as a distraction for more damaging intrusion attempts. Organizations that practice their response through simulations will be better positioned to stop these attacks quickly and minimize potential damage.

If you'd like to run a cybersecurity tabletop game like this in your organization, let's set up a time to chat.

Get a Demo

©2024, ChaosTrack, Inc. All Rights Reserved. Privacy Policy.