MC1096885 - Mail Bombing Detection technology in Microsoft Defender for Office 365

Updated July 1, 2025: We have updated the timeline below. Thank you for your patience.

We’re introducing a new detection capability in Microsoft Defender for Office 365 to help protect your organization from a growing threat known as email bombing. This form of abuse floods mailboxes with high volumes of email to obscure important messages or overwhelm systems. The new “Mail Bombing” detection will automatically identify and block these attacks, helping security teams maintain visibility into real threats.

When this will happen:

General Availability (Worldwide): We will begin rolling out in late June 2025 and expect to complete by early July 2025 (previously late July).

How this affects your organization:

Security Operations Analysts and Administrators will see a new detection type labeled Mail Bombing in the following locations:

• Threat Explorer
• Email entity view
• Email Summary Panel
• Advanced Hunting

Messages identified as part of a mail bombing campaign will be automatically sent to the Junk folder. Safe Senders settings will continue to be honored—messages from those senders will not be impacted.

This feature is on by default and requires no manual configuration.

What you can do to prepare:

• Inform your Security Operations team about this new detection.
• Update internal documentation and training materials as needed.
• Review Junk folder handling policies to ensure alignment with your organization’s expectations.

Compliance considerations:

• Alters processing/storage of existing data Yes – modifies how email messages are classified and routed
• Introduces/modifies AI/ML capabilities Yes – introduces new detection logic
• Impacts Purview capabilities Maybe – may affect audit logging or eDiscovery visibility for junked messages
• Alters compliance monitoring/reporting Maybe – new detection may appear in compliance dashboards