Detect Mail Protocols in Elastic Security
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1071 Application Layer Protocol
- Sub-technique
- T1071.003 Mail Protocols
- Canonical reference
- https://attack.mitre.org/techniques/T1071/003/
Elastic Detection Query
sequence by host.name, process.entity_id with maxspan=24h
[network where event.type == "connection_attempted" and
destination.port in (25, 465, 587, 110, 995, 143, 993) and
not process.name in~ ("outlook.exe", "thunderbird.exe", "mailclient.exe", "em client.exe", "msedge.exe", "chrome.exe", "firefox.exe", "safari.exe")] with runs=3Detects non-standard mail client processes establishing repeated outbound connections to mail protocol ports (SMTP: 25/465/587, POP3: 110/995, IMAP: 143/993). Uses EQL sequence with runs=3 to require at least 3 connection attempts by the same process on the same host within 24 hours, reducing noise from one-off test connections while surfacing persistent C2 channel establishment.
Data Sources
Required Tables
False Positives & Tuning
- Automated IT monitoring or alerting scripts using Python smtplib, PowerShell Send-MailMessage, or similar runtime processes (python.exe, powershell.exe) to send legitimate system notifications via SMTP
- Mail archiving, backup, or compliance solutions (e.g., MailStore, Veeam) that connect via IMAP/POP3 using custom or vendor-specific process names not present in the exclusion list
- Third-party email clients with non-standard binary names (e.g., Mailbird, The Bat!, Postbox, Evolution) that are legitimately installed but not covered by the process name exclusion list
- Security scanning tools or network discovery agents probing mail server availability on mail ports during authorized vulnerability assessments
Other platforms for T1071.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SMTP C2 Exfiltration via PowerShell
Expected signal: Sysmon Event ID 1: PowerShell process creation with Send-MailMessage in command line. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:25. PowerShell ScriptBlock Log Event ID 4104 with SMTP command details.
- Test 2POP3 Command Retrieval Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from nc to 127.0.0.1:110. Process creation event for nc with POP3 commands piped via stdin.
- Test 3IMAP C2 Channel Simulation
Expected signal: Sysmon for Linux Event ID 3: Network connection from curl to 127.0.0.1:143. Process creation event for curl with imap:// URL and credentials in command line.
References (6)
- https://attack.mitre.org/techniques/T1071/003/
- https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.003/T1071.003.md
- https://pwc.github.io/issues/2023/yellow-liderc.html
Unlock Pro Content
Get the full detection package for T1071.003 including response playbook, investigation guide, and atomic red team tests.