Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-SMTP-Exfiltration.

Upgrade to Pro
THREAT-SMTP-Exfiltration Splunk · SPL

Detect Data Exfiltration via Outbound SMTP in Splunk

A large share of commodity keyloggers and infostealers — Agent Tesla, Formbook, Snake Keylogger, and numerous VB6/AutoIt-based tools — exfiltrate harvested credentials, screenshots, and keystroke logs by connecting directly to an SMTP server (often a throwaway or compromised legitimate mailbox on Gmail, Yandex, or a bulletproof host) and emailing the stolen data as an attachment. This differs from Business Email Compromise data-theft techniques (mailbox rule forwarding, covered under Collection) in that the malware itself is the SMTP client: it authenticates with hardcoded credentials and sends mail directly from the compromised endpoint, generating an outbound SMTP connection (port 25/587/465) from a process that is never normally an email client — a strong, protocol-level anomaly on modern endpoints where nearly all legitimate mail flows through a managed mail server or a browser-based webmail session over HTTPS, not a raw SMTP socket opened by an arbitrary process.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
index=firewall OR index=netflow (dest_port=25 OR dest_port=465 OR dest_port=587)
NOT process_name IN ("outlook.exe","thunderbird.exe","exchange*","postfix","sendmail")
NOT (cidrmatch("10.0.0.0/8", dest_ip) OR cidrmatch("172.16.0.0/12", dest_ip) OR cidrmatch("192.168.0.0/16", dest_ip))
| stats
    count as ConnectionCount,
    dc(dest_ip) as UniqueRemoteIPs,
    values(dest_ip) as RemoteIPs,
    values(dest_port) as RemotePorts,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by src_ip, user, process_name, process_path, CommandLine
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table FirstSeen, LastSeen, src_ip, user, process_name, process_path, CommandLine, ConnectionCount, UniqueRemoteIPs, RemoteIPs, RemotePorts
| sort - ConnectionCount
high severity medium confidence

Splunk detection over firewall/netflow data for outbound connections to SMTP ports (25/465/587) to public IP space from any process other than a recognized mail client or mail server, excluding RFC1918 destinations via cidrmatch() range comparisons (a plain IN/= string-equality test against a CIDR literal never matches an actual dotted-quad IP address and would silently disable the exclusion). Surfaces the process name, path, and command line so analysts can immediately distinguish legitimate line-of-business mail automation from malware directly emailing stolen data.

Data Sources

Firewall/NGFW connection logs with process attribution (via EDR-firewall integration or host-based netflow)Sysmon Event ID 3 (Network Connection) joined against destination port

Required Sourcetypes

firewallnetflow

False Positives & Tuning

  • Legacy line-of-business applications sending transactional email directly via SMTP
  • Scripted automation and backup tooling emailing job-completion notifications via an approved relay
  • Scan-to-email multi-function printers routing through a workstation-adjacent relay agent

Other platforms for THREAT-SMTP-Exfiltration


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated Direct SMTP Exfiltration Connection via PowerShell

    Expected signal: Sysmon Event ID 3 (Network Connection): powershell.exe connecting to 127.0.0.1:587 (or the configured test relay). DeviceNetworkEvents: connection record with RemotePort=587, InitiatingProcessFileName=powershell.exe. If a local test SMTP listener (e.g. Python smtpd/aiosmtpd) is running to receive the session, its logs will show the EHLO, MAIL FROM, RCPT TO, and DATA commands with the synthetic credential payload.

  2. Test 2Periodic SMTP Beacon Simulation (Keylogger Exfil Interval Pattern)

    Expected signal: Sysmon Event ID 1: update_helper.exe (a copy of powershell.exe) executing from %TEMP%\atomic_smtp_test\. Sysmon Event ID 3: three network connection events to 127.0.0.1:587 spaced ~5 seconds apart, initiated by the temp-directory binary.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-SMTP-Exfiltration — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections