T1071.003 Mail Protocols is a sub-technique of Application Layer Protocols (T1071) in the MITRE ATT&CK framework, under the Command and Control tactic. It refers to the use of email protocols such as SMTP/S (Simple Mail Transfer Protocol Secure), POP3/S (Post Office Protocol Secure), and IMAP (Internet Message Access Protocol) for communication between systems.
These protocols are widely used for sending, receiving, and accessing email messages across networks. They facilitate the transmission of data within email headers and bodies, and their ability to carry both structured and unstructured data makes them critical in most communication systems. Because these protocols are commonly trusted and integral to network operations, they are often exploited by adversaries to send and receive data covertly.
To read about other sub-techniques of the T1071 Application Layer Protocols technique, you can visit the related hub blog.
Adversaries are increasingly abusing email protocols such as SMTP, IMAP, and POP3 as covert channels for command-and-control. Because these protocols underpin routine email operations, malicious traffic hidden within them is difficult to distinguish from legitimate user activity. Attackers often relay commands or exfiltrate data through crafted emails, weaponised attachments, or hijacked accounts, including both compromised inboxes and attacker-controlled throwaway accounts, allowing their activity to blend seamlessly into normal mail flows.
A May 2025 analysis of DarkCloud Stealer illustrates this trend [1].
Researchers observed a campaign active since January 2025 in which DarkCloud was distributed via email-based delivery chains. Once executed, the malware attempts to harvest stored login credentials from multiple FTP client applications and decrypt them for exfiltration. The disassembly below captures part of the credential-retrieval routine:
|
push eax |
This snippet demonstrates that DarkCloud explicitly targets a well-known FTP client to extract saved credentials, which are then staged for exfiltration, further underscoring how attackers pair credential theft with mail-protocol-based operational channels to evade traditional detection.
For instance, the Snake malware analyzed in 2024, also known as Snake Keylogger, utilizes this technique by exploiting the SMTP protocol to exfiltrate stolen data and establish command-and-control (C2) communications [2]. The malware targets email clients like Microsoft Outlook, extracting credentials for protocols such as IMAP, POP3, and SMTP from the Windows Registry. Using pre-configured SMTP server details, including hardcoded hostnames, ports, and credentials, Snake sends stolen information, such as keystrokes, screenshots, and clipboard data, in plaintext or encrypted formats. This exfiltration can occur via two approaches: embedding the data directly in the email body or attaching it as files. By leveraging widely used mail protocols, Snake blends its malicious activity with legitimate email traffic, making it harder to detect and analyze within compromised systems.
Another example comes from a Trojan identified by security researchers in February 2024, named Trojan.Win32.Injuke.mlrx* [3]. This malware leverages the T1071.003 Mail Protocols technique for command and control. Designed for electronic espionage, the Trojan is capable of intercepting keyboard inputs, capturing screenshots, and retrieving active application lists. The stolen information is exfiltrated to cybercriminals through multiple channels, including email, demonstrating its use of mail protocols to evade detection.
|
MD5*: 6282B733288D6BF23318AB2AF8580D8F |
[1] P. K. Chhaparwal and B. Chang, “DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt,” Unit 42, May 14, 2025. Available: https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/. [Accessed: Dec. 08, 2025]
[2] M. Ezat, “Deep Analysis of Snake,” ZW01f, Jun. 30, 2024. Available: https://zw01f.github.io/malware%20analysis/snake/. [Accessed: Dec. 17, 2024]
[3] “Trojan.Win32.Injuke.mlrx.” Available: https://threats.kaspersky.com/en/threat/Trojan.Win32.Injuke.mlrx/. [Accessed: Dec. 17, 2024]