Communications smtp

Hunt Hypothesis

Unusual SMTP communication patterns may indicate an adversary attempting to exfiltrate data or establish command and control channels. SOC teams should proactively hunt for these behaviors in Azure Sentinel to identify potential compromise early and prevent data loss.

YARA Rule

rule network_smtp_vb {
    meta:
        author = "x0r"
        description = "Communications smtp"
	version = "0.1"
    strings:
	$c1 = "CDO.Message" nocase
        $c2 = "cdoSMTPServer" nocase
        $c3 = "cdoSendUsingMethod" nocase
        $c4 = "cdoex.dll" nocase
        $c5 = "/cdo/configuration/smtpserver" nocase
    condition:
        any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled Email Reports via SMTP
  Description: A system administrator uses a tool like cron (Linux) or Task Scheduler (Windows) to run a script that sends daily email reports via SMTP.
  Filter/Exclusion: Exclude emails sent from a known reporting tool or IP address used by the organization’s internal email server.

• Scenario: User-Initiated Email via Outlook or Thunderbird
  Description: A user sends an email using Microsoft Outlook or Mozilla Thunderbird to a colleague or external partner.
  Filter/Exclusion: Exclude emails originating from user workstations or using the organization’s internal email domain.

• Scenario: Automated Backup Email Notification
  Description: A backup system sends an email notification via SMTP to alert administrators of successful or failed backups.
  Filter/Exclusion: Exclude emails sent from the backup server’s IP address or using a specific subject line or sender email address.

• Scenario: System Health Check via SMTP
  Description: A monitoring tool like Nagios or Zabbix sends an email alert via SMTP when a system metric exceeds a threshold.
  Filter/Exclusion: Exclude emails sent from the monitoring server’s IP address or with a specific sender email address used by the monitoring tool.

• Scenario: Internal SMTP Relay for Email Forwarding
  Description: An internal SMTP relay server is used to forward emails between internal users or to external domains.
  Filter/Exclusion: Exclude emails that pass through the internal relay server by checking the source and destination IP addresses or using a specific relay server identifier.