The email you were never supposed to see

In the previous posts I described attacks where victims first receive a large flood of emails, followed by a message from someone pretending to be IT support.

However, email flooding is also used in another way.

Sometimes the goal is not to contact the victim afterwards at all.

Instead, the attacker uses the flood of emails to hide a single message you are not supposed to notice.

The attack pattern

The attack again starts with a sudden wave of emails you never signed up for.

In the previous attack variants, this flood may consist of dozens or a few hundred messages — often enough to create confusion and stress.

But in this version of the attack the numbers are often much larger.

Victims may receive thousands of emails within a short period of time, sometimes several thousand within just a few hours.

This is typically caused by subscription bombing, where an attacker registers your email address on a large number of websites and mailing lists.

At first glance it may just look like spam.

But the real purpose is often different.

Somewhere inside those thousands of messages there may be one important email.

And that email is the one the attacker hopes you will miss.

The message you were not supposed to see

Hidden among the noise could be a notification such as:

• a password change confirmation
• a username or email change on an account
• a login alert from a service
• an order confirmation for a purchase you did not make
• a security alert from a service provider

If the victim does not see the message in time, the attacker gains a valuable window of opportunity.

For example, the attacker may:

• take control of an online account
• complete fraudulent purchases
• change recovery settings on a service
• gain persistent access to the account

Why the technique works

Humans are not good at processing thousands of messages at once.

When an inbox suddenly fills with hundreds or thousands of emails, most people focus on stopping the flood rather than carefully reviewing every message.

This is exactly what the attacker hopes will happen.

In reality, the only safe approach is often the most frustrating one: taking the time to carefully review the inbox and search for suspicious notifications.

If you suddenly receive thousands of emails within a short period of time, there is a real possibility that one of them contains a message you were not supposed to see.

Probably the most annoying version of the attack

Across the previous posts I described several variations of the same technique:

1. Spam flood + fake IT support contact (Teams or social media)
2. Spam flood + social engineering targeting personal accounts
3. Spam flood used to hide an important security notification

All of them start the same way: the attacker creates confusion and noise.

But for the victim, this third variant may actually be the most frustrating one.

Because the only reliable way to respond is often to spend time going through thousands of messages, searching for the one message that matters.

Exactly the message the attacker hoped you would never notice.


And if the attacker succeeded, that message is likely there.

Somewhere in the inbox is the notification that reveals what actually happened — a password change, a login alert, an order confirmation, or perhaps that your airline miles have been used or that someone just ordered ten new phones in your name.

Finding that email is often the first step to fixing the problem.

When attackers contact you on social media

In the previous post, I described a technique where attackers combine subscription bombing and fake IT support on Microsoft Teams to gain access to a victim’s system.

However, this is not the only variation of the technique.

In some cases the attack is directed at private individuals rather than employees in an organization, and the attacker uses social media instead of corporate collaboration platforms.

The attack pattern

The beginning of the attack often looks very similar.

The victim suddenly receives a large number of emails they never signed up for.
This is typically the result of subscription bombing, where the victim’s email address is registered with hundreds of websites and mailing lists.

The goal is to create confusion and stress.

Unlike the corporate scenario, the attacker may already know that the email address is connected to personal accounts, such as:

• Facebook
• Instagram
• LinkedIn
• other social media platforms

Shortly after the spam flood begins, the attacker contacts the victim through social media messaging instead of tools like Teams.

The attacker might claim to be:

• platform support
• account security staff
• technical support
• someone who noticed suspicious activity on the account

They then offer to help fix the problem.

The objective

Just like the Teams-based variant, the attacker will often try to convince the victim to:

• install remote access software
• share login credentials
• approve suspicious login attempts
• disable security protections such as two-factor authentication

Once the attacker gains access, they may attempt to:

• take over social media accounts
• access private messages and data
• run scams from the victim’s account
• attempt password resets on other services linked to the same email address

The same scam — different channel

In many ways, this is simply another evolution of the classic fake tech support scam.

The difference is that modern attackers often create a real problem first — such as a spam flood — before contacting the victim and offering help.

The communication channel may change:

• phone calls in the past
• Microsoft Teams in corporate environments
• social media messaging for private individuals

But the core technique remains the same:

Create confusion → Offer help → Gain access

When attackers call on Teams

Suddenly your inbox starts filling up with hundreds of newsletters you never signed up for. 
Minutes later, a Teams message appears from “IT Support” offering to help.

This is not a coincidence!

A social engineering technique observed in several incidents combines two simple elements: large volumes of spam and fake IT support.

The attack typically begins when the victim receives a sudden flood of spam emails.
This is often the result of so-called subscription bombing, where the victim’s email address is registered with hundreds of online services and newsletters.
The result is an inbox that quickly fills with confirmation emails, newsletters, and other automated messages.

Shortly after the spam flood begins, the attacker contacts the victim through a collaboration platform such as Microsoft Teams, pretending to be from the organization’s IT department.
The attacker claims they have noticed the unusual email activity and want to help resolve the issue.

To “fix the problem,” the attacker asks the user to start a support session using a remote administration tool. The tool used is often Quick Assist, which is built into Windows, but tools such as AnyDesk, TeamViewer, or similar may also be used. Because the user is already experiencing a real problem — a spam flood in their inbox — the request may appear legitimate.

Once the attacker gains access to the system, several actions may follow depending on the objective of the attack.

Examples include:

• deployment of ransomware
• theft of files or sensitive information
• credential harvesting
• lateral movement within the network
• establishing persistent access to the system

The technique works because it exploits human behavior rather than technical vulnerabilities.
By first creating confusion and stress through the spam flood, the likelihood increases that the user will accept help from someone claiming to be IT support.

---

How to Reduce the Risk

In many environments, messages from external users in Microsoft Teams can be clearly labeled with indicators such as External, Guest, Unverified, or similar warnings.

These indicators help users recognize that the message does not come from an internal colleague or the organization’s IT department.
If someone claiming to be internal IT support contacts a user via Teams, these indicators should always be checked.

Organizations should ensure that such labels and warnings are properly configured in Teams so that users can more easily distinguish between internal and external communications.

If this has not already been reviewed or implemented in the environment, it may be advisable to assess the current configuration and procedures.

In many ways, this is a modern version of the classic “fake Microsoft support” phone scam.
The difference is that attackers now create a real problem first — such as a spam flood — before offering to “help” fix it.