Description
Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28)
Platforms
Mitigations (2)
Filter Network TrafficM1037
Limit the ability of servers and critical systems to initiate outbound email communications. Filtering SMTP/IMAP/POP3 traffic to only trusted mail servers reduces the risk of attackers using compromised systems to exfiltrate data via email or to receive commands from attacker-controlled email accounts.
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used multiple backdoors which communicate with a C2 server via email attachments.(Citation: Crowdst... |
| G0083 | SilverTerrier | [SilverTerrier](https://attack.mitre.org/groups/G0083) uses SMTP for C2 communications.(Citation: Unit42 SilverTerrier 2018) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used email for C2 via an Office macro.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereas... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-reg... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used e-mail to send exfiltrated data to C2 servers.(Citation: CISA AA20-301A Kimsuky) |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has utilized email notifications from malware distribution servers to track victim engag... |
Associated Software (20)
| ID | Name | Type | Context |
|---|---|---|---|
| S0126 | ComRAT | Malware | [ComRAT](https://attack.mitre.org/software/S0126) can use email attachments for command and control.(Citation: ESET ComRAT May 2020) |
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) uses SMTP for C2.(Citation: ESET LightNeuron May 2019) |
| S0137 | CORESHELL | Malware | [CORESHELL](https://attack.mitre.org/software/S0137) can communicate over SMTP and POP3 for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 1... |
| S0337 | BadPatch | Malware | [BadPatch](https://attack.mitre.org/software/S0337) uses SMTP for C2.(Citation: Unit 42 BadPatch Oct 2017) |
| S0023 | CHOPSTICK | Malware | Various implementations of [CHOPSTICK](https://attack.mitre.org/software/S0023) communicate with C2 over SMTP and POP3.(Citation: ESET Sednit Part 2) |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use custom communications protocols that ride over SMTP.(Citation: Joint Cybersecurity Advisor... |
| S0201 | JPIN | Malware | [JPIN](https://attack.mitre.org/software/S0201) can send email over SMTP.(Citation: Microsoft PLATINUM April 2016) |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) is capable of using SMTP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron F... |
| S0247 | NavRAT | Malware | [NavRAT](https://attack.mitre.org/software/S0247) uses the email platform, Naver, for C2 communications, leveraging SMTP.(Citation: Talos NavRAT May 2... |
| S0351 | Cannon | Malware | [Cannon](https://attack.mitre.org/software/S0351) uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.(Citation: Unit42 Canno... |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) uses SMTP and POP3 for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Ci... |
| S0138 | OLDBAIT | Malware | [OLDBAIT](https://attack.mitre.org/software/S0138) can use SMTP for C2.(Citation: FireEye APT28) |
| S0495 | RDAT | Malware | [RDAT](https://attack.mitre.org/software/S0495) can use email attachments for C2 communications.(Citation: Unit42 RDAT July 2020) |
| S1090 | NightClub | Malware | [NightClub](https://attack.mitre.org/software/S1090) can use emails for C2 communications.(Citation: MoustachedBouncer ESET August 2023) |
| S1173 | PowerExchange | Malware | [PowerExchange](https://attack.mitre.org/software/S1173) can receive and send back the results of executed C2 commands through email.(Citation: Symant... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has used SMTP for C2 communications.(Citation: Cofense Agent Tesla)(Citation: Fortinet Agent Te... |
| S0477 | Goopy | Malware | [Goopy](https://attack.mitre.org/software/S0477) has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cyber... |
| S1152 | IMAPLoader | Malware | [IMAPLoader](https://attack.mitre.org/software/S1152) uses the IMAP email protocol for command and control purposes.(Citation: PWC Yellow Liderc 2023) |
| S1042 | SUGARDUMP | Malware | A [SUGARDUMP](https://attack.mitre.org/software/S1042) variant used SMTP for C2.(Citation: Mandiant UNC3890 Aug 2022) |
| S1142 | LunarMail | Malware | [LunarMail](https://attack.mitre.org/software/S1142) can communicates with C2 using email messages via the Outlook Messaging API (MAPI).(Citation: ESE... |
Related CWE Weaknesses
References
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
Frequently Asked Questions
What is T1071.003 (Mail Protocols)?
T1071.003 is a MITRE ATT&CK technique named 'Mail Protocols'. It belongs to the Command and Control tactic(s). Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote...
How can T1071.003 be detected?
Detection of T1071.003 (Mail Protocols) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1071.003?
There are 2 documented mitigations for T1071.003. Key mitigations include: Filter Network Traffic, Network Intrusion Prevention.
Which threat groups use T1071.003?
Known threat groups using T1071.003 include: Turla, SilverTerrier, APT32, APT28, Kimsuky, Contagious Interview.