Application Layer Protocol: Mail Protocols

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

ID: T1071.003
Sub-technique of:  T1071
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Version: 1.0
Created: 15 March 2020
Last Modified: 21 October 2020

Procedure Examples

Name Description
Agent Tesla

Agent Tesla has used SMTP for C2 communications.[1][2][3]


APT28 used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims.[4]


APT32 has used email for C2 via an Office macro.[5][6]


BadPatch uses SMTP for C2.[7]


Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.[8]


Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.[9]


ComRAT can use email attachments for command and control.[10]


CORESHELL can communicate over SMTP and POP3 for C2.[4][11]


Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.[6]


JPIN can send email over SMTP.[12]


LightNeuron uses SMTP for C2.[13]


NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.[14]


OLDBAIT can use SMTP for C2.[4]


RDAT can use email attachments for C2 communications.[15]


Remsec is capable of using SMTP for C2.[16][17][18]


SilverTerrier uses SMTP for C2 communications.[19]


Zebrocy uses SMTP and POP3 for C2.[20][8][21][22][23][24]


Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.


Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.[25]