How an Attacker Used ‘Spam Bombing’ to Gain Remote Access

In their recent blog post Darktrace goes over a case study of how the adversaries used ‘Spam Bombing‘ to ultimately convince the target to give them access to their computer via Microsoft Quick Access remote management tool.

What happened

• The attackers used the targets email address to sign them up to 100+ legitimate services.
• Within minutes the target got bombarded with107 different e-mails in 3 different languages
• All these e-mails came from reputable sources – because ultimately they were valid – newsletter, service signup e-mails. Hence, they were not flagged as suspicious.
• To help with the flood of emails a “helpful IT person” reached out to the target and convinced them to give them remote access to their computer.

Protection against “Spam Bombing“

• Make sure your monitoring tools are not only looking and analysing individual e-mails. Overall patterns are important to notice as well.
• Share this example within your organisations so they too can recognize the suspiciousness of such patters.
• And as always, be suspicious about helpful it people reaching out at the most convenient moment. When something like this happens, hang-up, ignore and reach out to them yourself using official channels.