The Walmart registration bomb has been one of the most revealing email bombing cases we’ve investigated, simply because it was so replicable. The same playbook continues to be deployed against organizations across every sector, and it works every time for the same reason: the inbox flood is an effective distraction that hides the real threat.

What is email bombing? Attacks hidden in plain sight 

Email bombing attacks, also known as mail bomb attacks, occur when bots flood an email address or server with hundreds to thousands of email messages. Since the late 2000s, these attacks have been a significant thorn in the sides of CISOs and ordinary email users. This nefarious act can achieve a similar outcome to that of a distributed denial of service (DDoS) attack. Email bomb spam is also frequently deployed to distract and hide important emails.

Unlike ordinary spam, email bombs are deliberately targeted at a specific address, often to:

  • Distract the victim from noticing a more serious event (a fraudulent purchase, a password reset, an account takeover)
  • Deny service to a mail server, making it unresponsive or degraded
  • Set the stage for a follow-on social engineering attack

One of the most notable email bombing campaigns came in 2016. According to Brian Krebs, “unknown assailants launched a massive cyberattack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists.” The server was so overwhelmed with email bomb spam that many .gov email addresses remained unusable for days.

The attack template: How the Walmart ‘registration bomb’ cloaked financial fraud with inbox overload

Overview: During the Walmart registration bomb, BlackCloak analysts discovered a growing number of new and existing clients whose inboxes were overwhelmed with registration confirmation emails from websites that they had never visited and had no affiliation with. Our investigation revealed these ‘registration bombs’ – the term we designated to differentiate these attacks from traditional email bombs – were deployed to distract victims from recognizing that their Walmart.com account was hacked and that financial fraud occurred.

Inbox example of registration bomb courtesy of Krebs on Security

What happened next: Our research found attackers obtained an unknown number of Walmart.com login credentials that were leaked onto the Dark Web, often from unrelated website data breaches. With usernames and passwords at their disposal, attackers were able to reuse these stolen credentials to log into active Walmart.com accounts, and make purchases using the valid credit card that remained on file. We quickly recognized the majority of transactions were $250 or less. This is likely intentional to avoid triggering fraud alerts. To distract from the financial fraud, the attackers overload the victims’ inbox with registration emails, ‘registration bombing’. This pushes the Walmart.com purchase confirmation email completely out of sight. Some victims received more than 500 registration emails, pushing down the purchase receipt 5, 7 and even 10 pages deep. For many, the financial fraud went unnoticed for a long period of time.

Attacker tool used to initiate attack courtesy of GitHub

How email bombing works: Three variants

1. Subscription Bombing (the most common today)

The attacker uses automated scripts or bots to register the victim’s email address with hundreds or thousands of legitimate mailing lists, newsletters, and forum notification systems simultaneously. Because the incoming emails are from real, trusted senders — subscription confirmations, “welcome” emails, double-opt-in requests — most spam filters let them pass.

This results in hundreds of emails in minutes, with no obvious malicious content to block.

2. Mass Message Bombing

A bot or botnet sends enormous volumes of messages directly to an address or mail server. This is the classic DoS variant and is more detectable by volume-based rate limiting.

3. Registration Bombing (as a fraud cover)

As BlackCloak originally documented in our Walmart research, attackers can use a subscription bomb specifically to hide a transactional email (a purchase confirmation, a bank alert, a password change notice) that the victim needs to see. Hundreds of incoming emails bury that critical message pages deep in the inbox.

How to Stop an Email Bomb: Immediate Response 

If you believe you are currently under email bomb attack:

  • Do not mass-delete. Use email rules and filters to quarantine the flood by sender domain or subject line pattern. Deleting in bulk risks destroying legitimate emails buried in the noise and hiding evidence after the fact.
  • Check your accounts immediately. Use a secure network to log directly into financial accounts, your email provider, and any e-commerce accounts (especially those with saved payment methods) to look for unauthorized activity. Don’t rely on finding the alerts in your inbox.
  • Change your passwords. Start with email, then financial accounts, then anything with saved payment credentials. Use unique, randomly generated passwords of at least 12 characters.
  • Enable multifactor authentication on every account that supports it.
  • Do not install remote access software for anyone who contacts you offering to help — especially via Teams, Slack, or phone — without independently verifying their identity through a known, trusted channel.

Long-Term Email Bomb Prevention 

  • Use a secondary email address for newsletter signups, retail accounts, and low-priority registrations. This limits the blast radius if subscription bombing is deployed against your primary address.
  • Check credit card and bank statements monthly, not just when you receive an alert. In the Walmart registration bomb campaign we investigated, some victims didn’t discover the fraud for months because purchase confirmations were buried.
  • Be skeptical of help you didn’t ask for. If your inbox is suddenly flooded and someone promptly appears offering to fix it, treat that as a red flag.

BlackCloak: Reducing risk of email bombing attacks

It is easy to understand why ‘registration bombing’ is a successful tactic and a reasonable evolution of the email bomb. It’s easy to deploy and time-consuming to resolve. Moving forward, be extra cognizant of unsolicited emails. This is especially true for messages in mass quantity that are requesting an action be taken.

BlackCloak members who think they might have been impacted by the Walmart ‘registration bombing’ attack, or suspect an email bombing attack in the future should contact the Concierge Support Team immediately. And of course, don’t forget to deploy multi-factor authentication on Walmart.com and on any other e-commerce accounts that offer it.

Learn how BlackCloak’s comprehensive personal cybersecurity protects executives, high-profile individuals, and HNWIs.