Communications smtp

Hunt Hypothesis

Unusual SMTP communication patterns may indicate an adversary attempting to exfiltrate data or establish a command and control channel. SOC teams should proactively hunt for these behaviors in Azure Sentinel to identify potential compromise early and mitigate lateral movement risks.

YARA Rule

rule network_smtp_dotNet {
    meta:
        author = "x0r"
        description = "Communications smtp"
	version = "0.1"
    strings:
	$f1 = "System.Net.Mail" nocase
        $p1 = "SmtpClient" nocase
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Email Reports via SMTP
  Description: A system administrator uses a tool like Microsoft Exchange or Postfix to send daily email reports to stakeholders.
  Filter/Exclusion: Exclude emails sent from a known reporting email address (e.g., [email protected]) during specific hours (e.g., 8:00 AM to 9:00 AM).

• Scenario: User-Initiated Email Communication
  Description: Employees use Outlook or Thunderbird to send emails to internal or external contacts as part of regular business operations.
  Filter/Exclusion: Exclude emails originating from user accounts with a specific domain (e.g., @company.com) and containing known internal email domains in the “To” or “CC” fields.

• Scenario: Automated System Alerts via SMTP
  Description: A monitoring tool like Nagios or Zabbix sends automated alerts via SMTP to a dedicated alert email address.
  Filter/Exclusion: Exclude emails sent to a specific alert email address (e.g., [email protected]) with a subject line containing keywords like “Alert” or “Notification”.

• Scenario: Backup Job Email Notifications
  Description: A backup system like Veeam or Commvault sends email notifications to administrators when backups complete or fail.
  Filter/Exclusion: Exclude emails sent from a known backup service email address (e.g., [email protected]) with a subject line containing “Backup” or “Job Status”.

• Scenario: Email Verification Tool Usage
  Description: A tool like Hunter.io or Clearbit is used to verify email addresses or check domain validity.
  Filter/Exclusion: Exclude emails sent from a known verification tool email address (e.g., [email protected])