Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SMTP-Exfiltration.
Upgrade to ProDetect Data Exfiltration via Outbound SMTP in Microsoft Sentinel
A large share of commodity keyloggers and infostealers — Agent Tesla, Formbook, Snake Keylogger, and numerous VB6/AutoIt-based tools — exfiltrate harvested credentials, screenshots, and keystroke logs by connecting directly to an SMTP server (often a throwaway or compromised legitimate mailbox on Gmail, Yandex, or a bulletproof host) and emailing the stolen data as an attachment. This differs from Business Email Compromise data-theft techniques (mailbox rule forwarding, covered under Collection) in that the malware itself is the SMTP client: it authenticates with hardcoded credentials and sends mail directly from the compromised endpoint, generating an outbound SMTP connection (port 25/587/465) from a process that is never normally an email client — a strong, protocol-level anomaly on modern endpoints where nearly all legitimate mail flows through a managed mail server or a browser-based webmail session over HTTPS, not a raw SMTP socket opened by an arbitrary process.
MITRE ATT&CK
- Tactic
- Exfiltration
KQL Detection Query
let LookbackWindow = 24h;
let SmtpPorts = dynamic([25, 465, 587]);
let KnownMailProcesses = dynamic(["outlook.exe", "thunderbird.exe", "mailapp", "exchange", "postfix", "sendmail"]);
DeviceNetworkEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType == "ConnectionSuccess"
| where RemotePort in (SmtpPorts)
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !has_any (KnownMailProcesses)
| where DeviceName !has_any (dynamic(["mail", "smtp", "exchange", "relay"])) // exclude designated mail infrastructure hosts by naming convention
| summarize
ConnectionCount = count(),
UniqueRemoteIPs = dcount(RemoteIP),
RemoteIPs = make_set(RemoteIP, 5),
RemotePorts = make_set(RemotePort, 3),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| extend IsScriptOrCompiledNonMailer = InitiatingProcessFileName has_any (dynamic(
[".exe", ".dll", "powershell", "python", "wscript", "cscript"]))
| where ConnectionCount >= 1
| project FirstSeen, LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessFolderPath, InitiatingProcessCommandLine, ConnectionCount,
UniqueRemoteIPs, RemoteIPs, RemotePorts
| sort by LastSeen desc Flags any endpoint process other than a recognized mail client or designated mail-relay host establishing an outbound connection on SMTP ports (25, 465, 587) to a public IP. On modern managed endpoints, legitimate mail flows through Outlook/Exchange (which itself talks to Exchange Online over HTTPS, not raw SMTP) or a browser-based webmail client — a standalone binary, script interpreter, or unexpected process opening a raw SMTP socket is a high-signal anomaly consistent with malware directly emailing stolen data to an adversary-controlled mailbox.
Data Sources
Required Tables
False Positives & Tuning
- Legacy line-of-business applications that send transactional or notification email directly via SMTP (invoicing systems, monitoring/alerting tools, print-to-email appliances) — should be documented and excluded by process name and destination mail relay IP
- Scripted automation (backup job completion emails, CI/CD pipeline notifications) using smtplib, PowerShell Send-MailMessage, or similar libraries against an approved internal relay
- Multi-function printers/scanners with scan-to-email features that route through a workstation-adjacent relay agent
- Development or QA environments intentionally testing SMTP integration code paths
Other platforms for THREAT-SMTP-Exfiltration
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated Direct SMTP Exfiltration Connection via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 127.0.0.1:587 (or the configured test relay). DeviceNetworkEvents: connection record with RemotePort=587, InitiatingProcessFileName=powershell.exe. If a local test SMTP listener (e.g. Python smtpd/aiosmtpd) is running to receive the session, its logs will show the EHLO, MAIL FROM, RCPT TO, and DATA commands with the synthetic credential payload.
- Test 2Periodic SMTP Beacon Simulation (Keylogger Exfil Interval Pattern)
Expected signal: Sysmon Event ID 1: update_helper.exe (a copy of powershell.exe) executing from %TEMP%\atomic_smtp_test\. Sysmon Event ID 3: three network connection events to 127.0.0.1:587 spaced ~5 seconds apart, initiated by the temp-directory binary.
References (5)
- https://attack.mitre.org/techniques/T1048/
- https://attack.mitre.org/techniques/T1048/003/
- https://www.fortinet.com/blog/threat-research/agent-tesla-old-cybercrime-rat-new-tricks
- https://www.cisecurity.org/insights/blog/top-10-malware-agent-tesla
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-SMTP-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month