1. Home
  2. Techniques
  3. Enterprise
  4. Application Layer Protocol
  5. Mail Protocols

Application Layer Protocol: Mail Protocols

ID Name
T1071.001 Web Protocols
T1071.002 File Transfer Protocols
T1071.003 Mail Protocols
T1071.004 DNS
T1071.005 Publish/Subscribe Protocols

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.[1]

ID: T1071.003
Sub-technique of:  T1071
Tactic: Command and Control
Platforms: Linux, Network Devices, Windows, macOS
Contributors: Don Le, Stifel Financial
Version: 1.2
Created: 15 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has used SMTP for C2 communications.[2][3][4]
G0007 APT28

APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.[1][5]
G0050 APT32

APT32 has used email for C2 via an Office macro.[6][7]
S0337 BadPatch

BadPatch uses SMTP for C2.[8]
S0351 Cannon

Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[9]
S0023 CHOPSTICK

Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[10]
S0126 ComRAT

ComRAT can use email attachments for command and control.[11]
G1052 Contagious Interview

Contagious Interview has utilized email notifications from malware distribution servers to track victim engagement.[12]
S0137 CORESHELL

CORESHELL can communicate over SMTP and POP3 for C2.[1][13]
S0477 Goopy

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[7]

S1152 IMAPLoader

IMAPLoader uses the IMAP email protocol for command and control purposes.[14]
S0201 JPIN

JPIN can send email over SMTP.[15]
G0094 Kimsuky

Kimsuky has used e-mail to send exfiltrated data to C2 servers.[16]
S0395 LightNeuron

LightNeuron uses SMTP for C2.[17]
S1142 LunarMail

LunarMail can communicates with C2 using email messages via the Outlook Messaging API (MAPI).[18]
S0247 NavRAT

NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[19]
S1090 NightClub

NightClub can use emails for C2 communications.[20]
S0138 OLDBAIT

OLDBAIT can use SMTP for C2.[1]
S1173 PowerExchange

PowerExchange can receive and send back the results of executed C2 commands through email.[21]
S0495 RDAT

RDAT can use email attachments for C2 communications.[22]
S0125 Remsec

Remsec is capable of using SMTP for C2.[23][24][25][26]
G0083 SilverTerrier

SilverTerrier uses SMTP for C2 communications.[27]
S1042 SUGARDUMP

A SUGARDUMP variant used SMTP for C2.[28]
G0010 Turla

Turla has used multiple backdoors which communicate with a C2 server via email attachments.[29]
S0022 Uroburos

Uroburos can use custom communications protocols that ride over SMTP.[30]
S0251 Zebrocy

Zebrocy uses SMTP and POP3 for C2.[31][9][32][33][34]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Limit the ability of servers and critical systems to initiate outbound email communications. Filtering SMTP/IMAP/POP3 traffic to only trusted mail servers reduces the risk of attackers using compromised systems to exfiltrate data via email or to receive commands from attacker-controlled email accounts.
M1031 Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0135 Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3) AN0379

Detects unauthorized use of SMTP/IMAP/POP3 by suspicious binaries (e.g., PowerShell, rundll32) to exfiltrate data or beacon via email, often bypassing proxy or content filters.
AN0380

Detects non-interactive or script-driven email transmission using tools like sendmail, mailx, or custom SMTP scripts by background processes, especially when sending attachments or large payloads.
AN0381

Detects email-sending behavior via Terminal, AppleScript, or Automator that interfaces with SMTP or IMAP, typically using curl or mail-related APIs in unsanctioned contexts.
AN0382

Detects hosts transmitting large volumes of SMTP, IMAP, or POP3 traffic to external IPs or relays that aren't associated with the enterprise mail infrastructure.

References

  1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  2. James Arndt. (2023, February 21). The Rise of Agent Tesla: Understanding the Notorious Keylogger. Retrieved January 10, 2024.
  3. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  4. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  5. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  6. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  7. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  8. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  9. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  10. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  11. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  12. Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.
  13. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  14. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  15. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  16. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  17. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  1. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  2. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  3. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  4. Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.
  5. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  6. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  7. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  8. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  9. Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.
  10. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  11. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  12. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  13. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  14. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  15. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  16. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  17. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.