Cybersecurity stop of the month: the inbox avalanche—how subscription bombing hides the real attack 

The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today’s cybercriminals and how Proofpoint helps organizations better fortify their defenses to protect people against today’s emerging threats.   

Imagine checking your inbox during the day and finding 1,500 new emails waiting for you. They aren't typical spam or malicious phishing links. They are legitimate "welcome to our newsletter" confirmations from real companies, like a bakery in France, a tech blog based in Japan, and a furniture store in the U.S. 

You haven’t become popular overnight. You are the victim of an email subscription bombing attack. And while you are frantically deleting thousands of junk emails to clear your inbox, you miss the single, critical notification that’s buried in the noise: a “password changed” alert or a “wire transfer initiated” notification from your bank. 

This isn't just nuisance spam. It’s a calculated, updated version of a denial-of-service (DoS) tactic that is rapidly gaining in popularity as a sophisticated attack vector.  

What is subscription bombing?  

Subscription bombing attacks occur in short, high-velocity bursts of thousands of emails. A bombing attack delivers over 1,500 emails per hour, designed to overwhelm the victim and render an inbox completely unusable within minutes. While they’re disguised as a productivity disrupting scenario, the real goal is to distract the victim from other types of malicious activity.  

This activity may include hiding account take over scenarios, like resetting a password and locking a user out of their account. Or they may try to move the conversation out of email into a different communication channel, such as Teams or Slack.  

The scenario: the morning "avalanche" 

Here are two real-world examples. 

Healthcare Sector Alert (HC3) 

The Health Sector Cybersecurity Coordination Center (HC3) issued a specific sector alert warning that email bombing is being used to target healthcare and public health organizations. The alert highlights how these attacks can degrade network performance and potentially lead to direct business downtime, urging organizations to implement robust verification systems. 

Black Basta’s "Social Engineering" Smokescreen 

Research from Hornetsecurity has revealed that the notorious Black Basta ransomware group is actively weaponizing subscription bombing. In their campaigns, they flood a user's inbox to create panic and confusion. While the user is distracted, the threat actors contact them via Microsoft Teams posing as IT support to help “fix the spam issue.” Next, they exploit the user by tricking them into downloading remote access tools like AnyDesk or Quick Assist to compromise the network. 

The threat: a smokescreen for fraud 

Subscription bombing is rarely the end goal of an attack. It’s a distraction technique. Attackers use it to paralyze your ability to communicate and to bury evidence of a compromised account. 

Unlike traditional attacks that rely on malicious payloads (like bad URLs or malware), these attacks weaponize legitimate marketing automation. Threat actors use automated bots to scan the web for unsecured newsletter sign-up forms (those lacking CAPTCHA). They then input the victim's email address into thousands of these forms simultaneously. 

Because the emails come from legitimate domains, such as Mailchimp, HubSpot, and real businesses, they have proper authentication (SPF/DKIM). As a result, they bypass traditional spam filters that rely on reputation scoring. To legacy email security gateways, it simply looks like the user enthusiastically signed up for a lot of newsletters. 

How Proofpoint Nexus stops subscription bombing 

While standard filters fail because the emails are technically safe, our AI-powered detection stack, Proofpoint Nexus®, succeeds by analyzing the intent and velocity of incoming email. 

The Nexus technology uses an ensemble of AI engines that work together to identify and block these attacks in real time, ensuring that legitimate mail continues to flow while the “bomb” is contained. 

Here is how the different Nexus engines work together to identify and block an email bombing attack: 

• Nexus LM™ (Language Model). This engine analyzes language patterns in messages. It specifically looks for high concentrations of ‘welcome to’ or ‘subscription sign-up’ language and identification markers, which are common in automated confirmations. 
• Nexus RG™ (Relationship Graph). By understanding the baseline behavior of your users, the Nexus RG engine determines anomalies in message volume and velocity. It instantly recognizes that a sudden influx of 500 emails in seconds from previously unknown senders is a deviation from the user's normal activity. 
• Nexus ML™ (Machine Learning). When these signals converge, the Nexus ML engine activates “Bomb Shelter” mode. This automatically classifies the flood of emails as bulk/low priority and redirects them out of the user’s inbox. This ensures the attack is neutralized. User inboxes are kept clear for the critical alerts that the attacker is trying to hide. And user productivity isn’t disrupted. 

Emerging trends: the bombing spreads 

Subscription bombing is part of a broader trend of high-volume distraction attacks that are on the rise. We are observing threat actors evolving these tactics to other channels: 

• Form bombing. Similar to subscription bombing, these attacks target transactional forms (like “contact us” or “quote request” pages). Victims receive thousands of “thanks for contacting us” auto-responses. Attacks are often harder to block because they are transactional emails that do not require a “click to confirm” step. 
• SMS bombing. Also known as multifactor authentication (MFA) fatigue, in these attacks bad actors flood a user’s mobile device with 2FA codes or text messages. This is often used to annoy victims into accepting a fraudulent login request just to make the notifications stop or to mask a SIM swap attack. 

Defending against the noise 

In an era where attackers weaponize legitimate traffic to hide their crimes, organizations need a defense that understands behavior, not just bad reputations. 

Proofpoint Nexus ensures that no matter how much noise an attacker generates, the signal—and your security—remains clear. By activating defenses like “bomb shelter” mode, we turn a potentially paralyzing DoS attack into a non-event, protecting your people and preserving your business operations. 

To learn more about how we can help your organization protect your people and your data from the next generation of AI-driven threats, schedule a demo today.  

Contact us to learn more about how Prime Threat Protection can help defend against subscription bombing and other emerging cybersecurity risks.  

Read our Cybersecurity Stop of the Month series     

To learn more about how Proofpoint stops advanced attacks, check out our other blogs in this series:  

• Weaponizing AI Assistants with Indirect Prompt Injection (October 2025) 
• BEC Attacks Targeting Government Agencies (August 2025) 
• Detecting and Responding to an Account Takeover (July 2025)   
• Adversary-in-the-Middle Attacks that Target Microsoft 365 (June 2025)    
• Stopping Phishing Attacks that Pivot from Email to SMS (May 2025)     
• Luring Victims with Free Crypto to Steal Credentials and Funds (April 2025) 
• Credential Phishing that Targets Financial Security (February 2025)   
• E-Signature Phishing Nearly Sparks Disaster for Electric Company (January 2025)   
• How Proofpoint Stopped a Dropbox Phishing Scam (December 2024)   
• Preventing Vendor Email Compromise in the Public Sector (November 2024) 
• SocGholish Haunts the Healthcare Industry (October 2024)   
• Preventing Vendor Impersonation Scams (September 2024)    
• Credential Phishing Attack Targeting User Location Data (August 2024)     
• DarkGate Malware (July 2024)     
• CEO Impersonation Attacks (June 2024) 
• Stopping Supply Chain Impersonation Attacks (May 2024)
• Defeating Malicious Application Creation Attacks (April 2024)     
• Detecting Multilayered Malicious QR Code Attacks (March 2024)    
• Preventing Supply Chain Compromise (February 2024)   
• Multifactor Authentication Manipulation (January 2024)       
• Using Behavioral AI to Squash Payroll Diversion (December 2023)    
• Telephone-Oriented Attack Delivery Sequence (November 2023)       
• QR Code Scams and Phishing (October 2023)      
• Preventing eSignature Phishing (September 2023)    
• Detecting and Analyzing a SocGholish Attack (August 2023)     
• Defending Against EvilProxy Phishing and Cloud Account Takeover (July 2023)    
• Uncovering BEC and Supply Chain Attacks (June 2023)