T1071.003 Google Chronicle · YARA-L

Detect Mail Protocols in Google Chronicle

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1071 Application Layer Protocol
Sub-technique
T1071.003 Mail Protocols
Canonical reference
https://attack.mitre.org/techniques/T1071/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1071_003_non_mail_process_mail_protocol {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-standard processes making repeated outbound connections to mail protocol ports (SMTP/POP3/IMAP), indicative of T1071.003 adversarial C2 over mail protocols"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1071.003"
    reference = "https://attack.mitre.org/techniques/T1071/003/"
    created = "2026-01-01"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    (
      $e.target.port = 25 or
      $e.target.port = 465 or
      $e.target.port = 587 or
      $e.target.port = 110 or
      $e.target.port = 995 or
      $e.target.port = 143 or
      $e.target.port = 993
    )
    not re.regex(
      $e.principal.process.file.full_path,
      `(?i)(outlook|thunderbird|mailclient|em\.client|msedge|chrome|firefox|safari)\.exe`
    )
    $host = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
    $dest_ip = $e.target.ip

  match:
    $host, $proc, $dest_ip over 24h

  condition:
    #e > 2
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting repeated outbound connections to mail protocol ports from non-standard processes using UDM NETWORK_CONNECTION events. Correlates by host, process path, and destination IP over a 24-hour window, requiring more than 2 events to distinguish persistent C2 channel activity from transient connections. Excludes known legitimate mail clients via regex on the full process path.

Data Sources

Chronicle UDM normalized endpoint telemetryGoogle Chronicle SIEM ingested network flow dataChronicle-normalized Windows event logs (Sysmon Event ID 3)Chronicle-normalized Linux auditd network events

Required Tables

UDM Events (metadata.event_type = NETWORK_CONNECTION)

False Positives & Tuning

  • Custom internal mail relay or notification agents built by IT or DevOps teams that use generic binary names (notify.exe, alert_sender.exe, mailer.exe) to send SMTP notifications, triggering the rule due to non-matching process names
  • Mail migration or PST export tools that pull mailbox data via IMAP/POP3 (e.g., migration scripts, compliance archival agents) using proprietary binary names during scheduled archive operations
  • Security monitoring products or EDR agents that perform periodic mail gateway health checks or STARTTLS capability probing against internal mail servers
Download portable Sigma rule (.yml)

Other platforms for T1071.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SMTP C2 Exfiltration via PowerShell

    Expected signal: Sysmon Event ID 1: PowerShell process creation with Send-MailMessage in command line. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:25. PowerShell ScriptBlock Log Event ID 4104 with SMTP command details.

  2. Test 2POP3 Command Retrieval Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from nc to 127.0.0.1:110. Process creation event for nc with POP3 commands piped via stdin.

  3. Test 3IMAP C2 Channel Simulation

    Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:143. Process creation event for curl with imap:// URL and credentials in command line.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1071.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1071Application Layer Protocol

Related Sub-techniques

T1071.001Web ProtocolsT1071.002File Transfer ProtocolsT1071.004DNST1071.005Publish/Subscribe Protocols

Related Techniques

T1071Application Layer ProtocolT1048.003Exfiltration Over Unencrypted Non-C2 ProtocolT1114Email CollectionT1137Office Application StartupT1132.001Standard EncodingT1573Encrypted ChannelT1102Web Service

Same Tactic: Command and Control

Popular Detections