Communications smtp

Hunt Hypothesis

Unusual SMTP communication patterns may indicate an adversary attempting to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these patterns in Azure Sentinel to identify potential compromise early and mitigate lateral movement risks.

YARA Rule

rule network_smtp_raw {
    meta:
        author = "x0r"
        description = "Communications smtp"
	version = "0.1"
    strings:
	$s1 = "MAIL FROM:" nocase
        $s2 = "RCPT TO:" nocase
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Email Reports via SMTP
  Description: A system administrator uses a tool like Microsoft Exchange or Postfix to send daily email reports to stakeholders.
  Filter/Exclusion: Exclude emails sent from a known reporting email address (e.g., [email protected]) during scheduled times (e.g., 8:00 AM daily).

• Scenario: Automated Password Reset via SMTP
  Description: A user portal like Okta or Azure AD sends password reset emails to users via SMTP.
  Filter/Exclusion: Exclude emails originating from the identity provider’s SMTP relay (e.g., [email protected]) and containing specific reset tokens or links.

• Scenario: System Health Check Notifications
  Description: A monitoring tool like Nagios or Zabbix sends health check alerts via SMTP to an internal notification email.
  Filter/Exclusion: Exclude emails sent from the monitoring tool’s SMTP server (e.g., [email protected]) and containing predefined alert keywords (e.g., “System Down”, “Service Unreachable”).

• Scenario: Backup Job Completion Notification
  Description: A backup tool like Veeam or Commvault sends a completion email via SMTP to the IT operations team.
  Filter/Exclusion: Exclude emails sent from the backup server’s SMTP relay (e.g., [email protected]) and containing job names or timestamps that match known backup schedules.

• Scenario: User Account Expiration Reminder
  Description: An HR system or identity management tool like AD FS or SailPoint sends email reminders to users about account expiration via SMTP.
  Filter/Exclusion: Exclude emails sent from the HR system’s SMTP address (e.g., [email protected]) and