T1071.003 Mail Protocols Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let TimeWindow = 24h;
// Detect non-mail-client processes connecting to mail protocol ports
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort in (25, 465, 587, 110, 995, 143, 993)
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName !in~ (
    "outlook.exe", "thunderbird.exe", "OUTLOOK.EXE",
    "MailClient.exe", "eM Client.exe",
    "msedge.exe", "chrome.exe"
)
| extend Protocol = case(
    RemotePort in (25, 465, 587), "SMTP",
    RemotePort in (110, 995), "POP3",
    RemotePort in (143, 993), "IMAP",
    "Unknown")
| summarize
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    BytesSent = sum(SentBytes),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, Protocol, AccountName
| where ConnectionCount > 2
| project LastSeen, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, Protocol, RemotePort, ConnectionCount, UniqueRemoteIPs, BytesSent
| sort by ConnectionCount desc

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Scripted email sending tools used by IT for automated notifications (e.g., Python scripts using smtplib, PowerShell Send-MailMessage)
Application servers with built-in email notification capabilities (monitoring alerts, report delivery)
Email security gateways and spam filters that relay mail through non-standard processes
Backup software that sends completion notifications via SMTP

Splunk

spl

index=network OR index=firewall sourcetype IN ("stream:smtp", "stream:pop3", "stream:imap", "pan:traffic", "cisco:asa")
  (dest_port IN (25, 465, 587, 110, 995, 143, 993))
  action=allowed
| eval Protocol=case(
    dest_port IN (25, 465, 587), "SMTP",
    dest_port IN (110, 995), "POP3",
    dest_port IN (143, 993), "IMAP",
    1=1, "Unknown")
| search NOT (process_name IN ("outlook.exe", "thunderbird.exe", "OUTLOOK.EXE", "MailClient.exe"))
| stats count as ConnectionCount, dc(dest_ip) as UniqueDestIPs, sum(bytes_out) as BytesSent, earliest(_time) as FirstSeen, latest(_time) as LastSeen, values(src_user) as Users by src_ip, dest_ip, dest_port, Protocol, process_name
| where ConnectionCount > 2
| eval Severity=case(
    Protocol="IMAP" AND NOT match(process_name, "(?i)(outlook|thunderbird|mail)"), "critical",
    Protocol="POP3" AND NOT match(process_name, "(?i)(outlook|thunderbird|mail)"), "critical",
    Protocol="SMTP" AND ConnectionCount > 10, "high",
    1=1, "medium")
| table FirstSeen, LastSeen, src_ip, dest_ip, Protocol, dest_port, process_name, Users, ConnectionCount, BytesSent, Severity
| sort - Severity, - ConnectionCount

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Content Firewall Logs Network Stream Data

Required Sourcetypes

stream:smtp stream:pop3 stream:imap pan:traffic cisco:asa

False Positives

Scripted email sending tools used by IT for automated notifications (e.g., Python scripts using smtplib, PowerShell Send-MailMessage)
Application servers with built-in email notification capabilities (monitoring alerts, report delivery)
Email security gateways and spam filters that relay mail through non-standard processes
Backup software that sends completion notifications via SMTP

Elastic Security (EQL)

eql

sequence by host.name, process.entity_id with maxspan=24h
  [network where event.type == "connection_attempted" and
   destination.port in (25, 465, 587, 110, 995, 143, 993) and
   not process.name in~ ("outlook.exe", "thunderbird.exe", "mailclient.exe", "em client.exe", "msedge.exe", "chrome.exe", "firefox.exe", "safari.exe")] with runs=3

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.network) Winlogbeat with Sysmon (Event ID 3 - Network Connection) Auditbeat (auditd network syscalls) Packetbeat (network flow data)

Required Tables

logs-endpoint.events.network-* logs-windows.sysmon_operational-* logs-system.security-*

False Positives

Automated IT monitoring or alerting scripts using Python smtplib, PowerShell Send-MailMessage, or similar runtime processes (python.exe, powershell.exe) to send legitimate system notifications via SMTP
Mail archiving, backup, or compliance solutions (e.g., MailStore, Veeam) that connect via IMAP/POP3 using custom or vendor-specific process names not present in the exclusion list
Third-party email clients with non-standard binary names (e.g., Mailbird, The Bat!, Postbox, Evolution) that are legitimately installed but not covered by the process name exclusion list
Security scanning tools or network discovery agents probing mail server availability on mail ports during authorized vulnerability assessments

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name",
  COUNT(*) AS ConnectionCount,
  SUM(LONG("Bytes Sent")) AS TotalBytesSent,
  MIN(starttime) AS FirstSeen,
  MAX(starttime) AS LastSeen,
  CASE
    WHEN destinationport IN (25, 465, 587) THEN 'SMTP'
    WHEN destinationport IN (110, 995) THEN 'POP3'
    WHEN destinationport IN (143, 993) THEN 'IMAP'
    ELSE 'Unknown'
  END AS MailProtocol
FROM events
WHERE
  starttime > NOW() - 86400000
  AND destinationport IN (25, 465, 587, 110, 995, 143, 993)
  AND "Event Direction" = 'L2R'
  AND LOWER("Process Name") NOT IN (
    'outlook.exe', 'thunderbird.exe', 'mailclient.exe',
    'em client.exe', 'msedge.exe', 'chrome.exe', 'firefox.exe'
  )
GROUP BY
  sourceip, destinationip, destinationport,
  username, "Process Name", MailProtocol
HAVING ConnectionCount > 2
ORDER BY ConnectionCount DESC

high severity medium confidence

Data Sources

QRadar Network Activity (flow data) Palo Alto Networks Firewall (DSM) Cisco ASA / FTD (DSM) Windows Security Event Log with process enrichment (Event ID 4688) IBM QRadar Endpoint Detection events

Required Tables

events

False Positives

Automated scripts and scheduled tasks using SMTP for system alerting, such as cron jobs invoking sendmail or Python scripts using smtplib, where the parent process name (bash, python3.exe) does not match known mail clients
Database server processes configured to send SMTP alerts directly (e.g., Oracle UTL_MAIL running under oracle.exe, SQL Server Database Mail running under sqlservr.exe)
Mail archiving or eDiscovery solutions connecting via IMAP/POP3 using proprietary service process names not included in the exclusion filter

Sumo Logic CSE

sql

(_sourceCategory=*network* OR _sourceCategory=*firewall* OR _sourceCategory=*proxy*)
| where dest_port in ("25","465","587","110","995","143","993")
| where !(process_name matches "(?i)(outlook|thunderbird|mailclient|em\\.client|msedge|chrome|firefox)")
| if (dest_port in ("25","465","587"), "SMTP",
    if (dest_port in ("110","995"), "POP3",
      if (dest_port in ("143","993"), "IMAP", "Unknown"))) as Protocol
| if (Protocol in ("IMAP","POP3"), "critical",
    if (Protocol = "SMTP", "high", "medium")) as Severity
| count as ConnectionCount,
  dcount(dest_ip) as UniqueDestIPs,
  sum(bytes_out) as TotalBytesSent,
  min(_messageTime) as FirstSeen,
  max(_messageTime) as LastSeen
  by src_ip, dest_ip, dest_port, Protocol, process_name, Severity
| where ConnectionCount > 2
| sort by ConnectionCount desc

high severity medium confidence

Data Sources

Palo Alto Networks PAN-OS (via Sumo Logic app or syslog) Cisco ASA / FTD firewall logs Zscaler NSS cloud proxy logs Windows Sysmon network events (Event ID 3) forwarded via Sumo Logic collector Linux auditd SYSCALL connect events

Required Tables

Network, firewall, and proxy log sources indexed under sourceCategories matching *network*, *firewall*, or *proxy*

False Positives

Application servers or web frameworks (java.exe, node.exe, ruby.exe) with embedded email functionality sending transactional email via SMTP, commonly seen in CRM or ticketing platforms
Database engines configured for direct SMTP notification delivery (sqlservr.exe, mysqld.exe) that exceed the connection threshold during batch alerting windows
Security orchestration or SOAR platforms sending email alerts via SMTP using automation agent process names that are not in the exclusion list

Google Chronicle / SecOps

yaral

rule t1071_003_non_mail_process_mail_protocol {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-standard processes making repeated outbound connections to mail protocol ports (SMTP/POP3/IMAP), indicative of T1071.003 adversarial C2 over mail protocols"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071.003"
    reference = "https://attack.mitre.org/techniques/T1071/003/"
    created = "2026-01-01"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    (
      $e.target.port = 25 or
      $e.target.port = 465 or
      $e.target.port = 587 or
      $e.target.port = 110 or
      $e.target.port = 995 or
      $e.target.port = 143 or
      $e.target.port = 993
    )
    not re.regex(
      $e.principal.process.file.full_path,
      `(?i)(outlook|thunderbird|mailclient|em\.client|msedge|chrome|firefox|safari)\.exe`
    )
    $host = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
    $dest_ip = $e.target.ip

  match:
    $host, $proc, $dest_ip over 24h

  condition:
    #e > 2
}

high severity high confidence

Data Sources

Chronicle UDM normalized endpoint telemetry Google Chronicle SIEM ingested network flow data Chronicle-normalized Windows event logs (Sysmon Event ID 3) Chronicle-normalized Linux auditd network events

Required Tables

UDM Events (metadata.event_type = NETWORK_CONNECTION)

False Positives

Custom internal mail relay or notification agents built by IT or DevOps teams that use generic binary names (notify.exe, alert_sender.exe, mailer.exe) to send SMTP notifications, triggering the rule due to non-matching process names
Mail migration or PST export tools that pull mailbox data via IMAP/POP3 (e.g., migration scripts, compliance archival agents) using proprietary binary names during scheduled archive operations
Security monitoring products or EDR agents that perform periodic mail gateway health checks or STARTTLS capability probing against internal mail servers

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| in(field=RemotePort, values=[25, 465, 587, 110, 995, 143, 993])
| !regex(field=ImageFileName, regex="(?i)(outlook|thunderbird|MailClient|eM.Client|msedge|chrome|firefox)\\.exe$")
| Protocol := case {
    in(field=RemotePort, values=[25, 465, 587]) => "SMTP";
    in(field=RemotePort, values=[110, 995]) => "POP3";
    in(field=RemotePort, values=[143, 993]) => "IMAP";
    * => "Unknown"
  }
| groupBy(
    [ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, Protocol, UserName],
    function=[
      count(as=ConnectionCount),
      min(ContextTimeStamp, as=FirstSeen),
      max(ContextTimeStamp, as=LastSeen)
    ]
  )
| ConnectionCount > 2
| sort(ConnectionCount, order=desc, limit=100)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (NetworkConnectIP4 events via FDR or LogScale) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio / LogScale SIEM

Required Tables

NetworkConnectIP4 (#event_simpleName Falcon event type)

False Positives

Scripting runtime processes (powershell.exe, python.exe, wscript.exe, cscript.exe) used by legitimate IT automation to send SMTP notifications or read mail via IMAP for ticketing integrations
Custom enterprise thick clients or internal tools built on .NET or Java frameworks that handle email but do not match standard mail client binary naming conventions
Vulnerability scanners or network asset discovery tools (e.g., Nessus, OpenVAS agent processes) probing mail ports as part of scheduled or on-demand authorized scans

Mail Protocols

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections