1. Home
  2. Detection Strategies
  3. Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)

Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)

Technique Detected:  Mail Protocols | T1071.003

ID: DET0135
Domains: Enterprise
Analytics: AN0379, AN0380, AN0381, AN0382
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0379

Detects unauthorized use of SMTP/IMAP/POP3 by suspicious binaries (e.g., PowerShell, rundll32) to exfiltrate data or beacon via email, often bypassing proxy or content filters.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Traffic Content (DC0085) NSM:Flow smtp.log
Mutable Elements
Field Description
ProcessImageName Limit to uncommon clients (e.g., scripts or CLI tools using .NET SMTP libraries)
DestPortFilter Typically 25, 587, 993, 995, or 465 – flag anomalies
AttachmentType Flag suspicious attachments (e.g., .zip, .7z, .bin)

AN0380

Detects non-interactive or script-driven email transmission using tools like sendmail, mailx, or custom SMTP scripts by background processes, especially when sending attachments or large payloads.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow smtp.log, conn.log
Mutable Elements
Field Description
TransferSizeThreshold Bytes transferred via SMTP session
ScriptNameFilter e.g., base64 encoded mailer scripts or one-liners in cron

AN0381

Detects email-sending behavior via Terminal, AppleScript, or Automator that interfaces with SMTP or IMAP, typically using curl or mail-related APIs in unsanctioned contexts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog log stream --predicate 'processImagePath CONTAINS "curl" OR "osascript"'
Network Traffic Flow (DC0078) macos:osquery socket_events
Mutable Elements
Field Description
UserContext Monitor non-mail client users initiating SMTP/IMAP
TimeWindow Look for execution of mail commands during off-hours

AN0382

Detects hosts transmitting large volumes of SMTP, IMAP, or POP3 traffic to external IPs or relays that aren't associated with the enterprise mail infrastructure.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow smtp.log, conn.log
Mutable Elements
Field Description
ExternalMailRelayFilter Dest IPs not matching sanctioned SMTP/IMAP relays
OutflowToInflowRatio Outbound email bytes vastly exceed response