While the victim is drowning in “Welcome to SaaS Product!” and “Verify your email for Newsletter You Never Asked For”, the attacker is doing something else. They’re resetting the victim’s bank password, making purchases on their accounts, or signing up for credit cards in their name. The real security alerts and confirmation emails get buried by the noise.
Your sign-up form is a weapon | Bytemash
I haven’t heard of subscription bombing before.