title: Transport Agent (T1505.002)
id: df00tech-t1505-002
status: experimental
description: "Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance."
references:
  - https://attack.mitre.org/techniques/T1505/002/
  - https://df00tech.com/detections/T1505.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1505.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate Exchange transport agent installations for anti-spam, DLP, or email archiving solutions (Mimecast, Proofpoint, Microsoft journaling agents)"
  - Exchange cumulative update installation writing DLLs to Exchange directories
  - IT administrators deploying custom transport agents for compliance journaling or email routing
  - Third-party email security products that register as transport agents
level: critical