On June 1, 2023, a Reddit user posted about a cybersecurity incident where a few users at their company were being "email bombed" with thousands of spam emails from various sites. This type of attack can be incredibly disruptive and may be a precursor to more serious threats, like account takeovers. In this article, we'll walk through how to plan and execute a tabletop simulation based on this real-world incident, as described in the original Reddit post.
Who should run a email bombing attack simulation?
- Companies that rely heavily on email communications, like professional services firms, e-commerce businesses, and remote-first organizations
- IT and security teams responsible for email security, incident response, and user awareness training
- Business leaders who want to ensure their organization is prepared to quickly detect and respond to disruptive attacks
Engaging Simulation Starting Points
Choosing an interesting starting point is key to an effective cybersecurity fire drill. Some ideas for this scenario:
- Several users complain to IT about receiving hundreds of spam emails overnight, making it hard to find legitimate messages
- The security team's email gateway alerts on a sudden spike in inbound messages from new domains
- A user reports that they clicked a link in a spam email and were prompted to enter their email password
Tailor the starting point to your company's monitoring tools and most likely paths of detection.
Incident Response Simulation Phases
Once initiated, the fire drill should step through each phase of your incident response plan, such as:
- Detection and Analysis
- Gather message samples and analyze for malicious content
- Check email authentication logs (SPF, DKIM, DMARC) for signs of spoofing
- Interview affected users to identify any actions taken
- Containment
- Block malicious senders and domains at the email gateway
- Purge spam messages from user inboxes
- Temporarily restrict outbound relaying for affected accounts
- Eradication
- Reset passwords for any compromised accounts
- Remove malware from infected devices
- Close any fraudulent accounts created using victim email addresses
- Recovery
- Restore normal mail flow and access for affected users
- Provide credit monitoring if PII may have been exposed
- Conduct user awareness training on spotting and reporting spam/phishing
- Post-Incident Activity
- Produce incident report with timeline and root cause analysis
- Implement playbooks and automated responses for faster mitigation
- Refine spam and anti-malware rules based on IOCs from attack
Ideas for Simulation Injects
Increase the complexity of your cybersecurity fire drill with "injects" like:
- Spam messages contain malware that infects a user's device when opened
- Attacker spoofs a company executive asking users to buy gift cards and send codes
- Bad actor downloads user list from compromised email account to expand attack scope
- Local news gets wind of incident and reaches out for comment before full investigation is done
Relevant MITRE ATT&CK Techniques
Techniques from the MITRE ATT&CK framework that may apply to this scenario:
- T1566.001 - Phishing: Spearphishing Attachment (if malware is delivered via email)
- T1566.002 - Phishing: Spearphishing Link (if users are directed to credential harvesting sites)
- T1114 - Email Collection (if user address lists are accessed and exfiltrated)
Strengthen Your Defenses with ChaosTrack
Running regular cybersecurity fire drills, like this email bombing scenario, is a proactive way to build "muscle memory" so your team can quickly investigate and mitigate real incidents. ChaosTrack makes planning and executing these simulations easier and more engaging than traditional tabletop exercises. Reach out to learn how we can help you build cyber resilience through realistic attack scenarios and hands-on response practice.