← Back to SOC feed Coverage →

Suspicious Outbound SMTP Connections

sigma MEDIUM SigmaHQ
T1048.003
imNetworkSession
backdoor
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-06T11:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network locat

Detection Rule

Sigma (Original)

title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
    The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Other SMTP tools
level: medium

KQL (Azure Sentinel)

imNetworkSession
| where ((DstPortNumber in~ ("25", "587", "465", "2525")) and NetworkDirection =~ "true") and (not((((SrcProcessName endswith "\\thunderbird.exe" or SrcProcessName endswith "\\outlook.exe") or (DstProcessName endswith "\\thunderbird.exe" or DstProcessName endswith "\\outlook.exe")) or (SrcProcessName startswith "C:\\Program Files\\Microsoft\\Exchange Server\\" or DstProcessName startswith "C:\\Program Files\\Microsoft\\Exchange Server\\") or ((SrcProcessName startswith "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_" or DstProcessName startswith "C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_") and (SrcProcessName endswith "\\HxTsr.exe" or DstProcessName endswith "\\HxTsr.exe")))))

Required Data Sources

Sentinel TableNotes
imNetworkSessionEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml