Microsoft Defender for Office 365 Adds Email Bombing Protection, What You Need to Know

Jul 01, 2025By Eli Junco

EJ

Microsoft just rolled out a new feature to help businesses defend against a growing and frustrating email threat: mail bombing.

If your organization uses Microsoft Defender for Office 365, this new protection is already being enabled and will automatically detect and block mail bombing attacks. That’s a win for security teams—and for anyone who’s ever dealt with an inbox flooded with thousands of messages in minutes.

But while this is a strong move in the right direction, it’s also a good reminder that email remains one of the most common and dangerous entry points for cyberattacks. So let’s look at what’s changing, what it means for your business, and what other email protections you should have in place.

What Is Email Bombing?


Email bombing is exactly what it sounds like, an attacker floods a user’s inbox with a massive number of messages, often in the span of just a few minutes. Sometimes these are auto-generated newsletters, other times they’re bulk email blasts from compromised systems.

What is the goal of these email blasts? To overwhelm the victim’s inbox, hide important messages, or distract and confuse them during a social engineering attack. It’s not just annoying, it can be the first step in a larger compromise.

Recent attacks have shown just how damaging this tactic can be. Ransomware gangs like BlackBasta and affiliates of FIN7 have used email bombing to set up voice phishing attacks. In some cases, they’ve called employees pretending to be IT support and convinced them to install remote access tools. Once inside, they moved laterally through networks and deployed ransomware.

What’s New in Defender for Office 365?


To help combat this, Microsoft has added automatic detection for mail bombing in Defender for Office 365. This feature started rolling out in June 2025 and should reach all tenants by late July. It’s enabled by default and doesn’t require any manual setup.

When a mail bombing campaign is detected, those messages are automatically redirected to the Junk folder, helping reduce the noise and keep users focused on legitimate communications.

Security teams will also be able to see these attacks in Microsoft’s Threat Explorer, Advanced Hunting, and other key security dashboards.

Stressed person sending work emails

What Else Should You Be Doing?


While Microsoft’s update is a great start, email threats aren’t going away. Attackers are constantly adapting their tactics. That’s why we recommend a layered approach to email security, especially for small and mid-sized businesses that may not have a full-time security team.

Here are a few key settings and steps you should have in place:

  1. Use MFA Everywhere
    Make sure multi-factor authentication is turned on for all email accounts, especially for admins and executives. Even if someone gets tricked into giving up a password, MFA can block the login.
  2. Enable Safe Links and Safe Attachments
    These Microsoft Defender features scan links and files in real time. They’re especially useful for stopping phishing and malware that slips past initial filters.
  3. Configure Anti-Phishing Policies
    Make use of Microsoft’s built-in impersonation protection to catch spoofed messages that pretend to come from your CEO, CFO, or other high-risk users.
  4. Limit Mail Forwarding Rules
    Attackers often set up hidden forwarding rules after they compromise an inbox. Review your mail flow settings and consider disabling auto-forwarding to external domains unless it's absolutely necessary.
  5. Monitor for Unusual Login Behavior
    Enable alerts for sign-ins from suspicious locations or impossible travel scenarios. This can help you catch compromised accounts early.
  6. Provide Ongoing Security Awareness Training
    Even with all the right tools, human error is still a big risk. Regular training helps your team spot phishing attempts and avoid common traps like fake IT support calls.
Sending encrypted E-Mail protection secure mail internet blue computer keyboard

Final Thoughts


Email bombing may not sound as serious as ransomware, but in many cases, it’s the smoke before the fire. With attackers combining tactics like inbox flooding, voice phishing, and social engineering, it’s more important than ever to make sure your email defenses are up to date.

Microsoft is helping by adding better default protections. But don’t stop there. Take the time to review your email settings, check your policies, and train your users.

And if you're not sure whether your email defenses are strong enough, or if you just need a second set of eyes, TechHorizon Consulting can help. Our virtual CISO service gives you expert security guidance without the full-time overhead. We’ll help you assess risks, tune your defenses, and build a strategy that works for your team.

If you're interested, head over to our Contact Us page. We're happy to help.