AN0379: Analytic 0379
Detects unauthorized use of SMTP/IMAP/POP3 by suspicious binaries (e.g., PowerShell, rundll32) to exfiltrate data or beacon via email, often bypassing proxy or content filters.
Analyst context for executives and security teams
This analytic matters because email protocols can become an unmonitored path for data movement or command-and-control when unusual Windows binaries initiate SMTP, IMAP, or POP3 traffic directly. For leaders, the key issue is not just malware detection; it is whether proxy, email, and network controls actually see and govern non-browser or non-mail-client use of email protocols.
Executive priority
Prioritize this as a coverage-validation item for Windows environments where business continuity, data protection, and audit evidence depend on proving that outbound communications are monitored beyond standard web proxy paths. Security leaders should ask whether PowerShell, rundll32, and other unexpected binaries can reach external mail services directly, whether exceptions are documented, and whether SOC teams have evidence to distinguish legitimate administrative activity from suspicious email-protocol use.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Windows process-to-network activity for SMTP, IMAP, and POP3. The supplied analytic specifically calls out suspicious binaries such as PowerShell and rundll32 using these protocols to exfiltrate data or beacon via email, potentially bypassing proxy or content filters. Because ATT&CK provides no official detection logic and no relationship context here, teams should build local baselines for expected mail clients, servers, scripts, and administrative tools before alerting on anomalous process/protocol combinations.
Likely telemetry
- Windows process creation events with executable name, command line, parent process, user, and host
- Network connection telemetry mapping process to destination IP, port, and protocol
- Firewall, proxy, and egress control logs showing direct SMTP/IMAP/POP3 attempts
- DNS telemetry for mail-service lookups initiated by unusual hosts or processes
- Email security or mail gateway logs where direct protocol usage is visible
Detection direction
- Confirm whether telemetry can correlate a Windows process with outbound SMTP, IMAP, or POP3 connections; port-only network logs without process context will leave a major blind spot.
- Tune around approved mail clients, mail servers, backup tools, monitoring systems, and sanctioned automation to reduce false positives.
- Give higher review priority to scripting or system utilities, including PowerShell and rundll32, initiating direct email-protocol traffic from endpoints that do not normally send or retrieve mail this way.
- Validate that proxy-centric monitoring does not miss direct email-protocol egress, since the analytic highlights bypass of proxy or content filters as a concern.
- Because no official detection query is supplied, test candidate logic against local baselines and incident-response evidence before treating alerts as high confidence.
Mitigation priorities
- Inventory which Windows systems and applications legitimately require outbound SMTP, IMAP, or POP3.
- Restrict direct outbound email-protocol access to approved systems and documented use cases where operationally feasible.
- Require exceptions for scripts, administrative tools, and non-mail-client binaries to be justified and reviewed.
- Ensure endpoint, network, and email-security telemetry can support investigation of process, user, host, destination, and timing.
- Use the resulting evidence for compliance readiness by documenting allowed egress paths, monitoring coverage, and exception handling.
Analyst notes and limits
This Glexia take is based only on the supplied ATT&CK analytic fields. The object is a Windows detection analytic, AN0379, describing unauthorized SMTP/IMAP/POP3 use by suspicious binaries such as PowerShell and rundll32. No tactics, relationships, aliases, labels, or official detection logic were supplied, so the practical guidance focuses on coverage validation and conservative detection engineering.
ATT&CK did not provide detection logic, related techniques, adversary context, or confirmed telemetry requirements for this object. Local environment baselines are required to determine which binaries and destinations are actually suspicious. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0379
Detects unauthorized use of SMTP/IMAP/POP3 by suspicious binaries (e.g., PowerShell, rundll32) to exfiltrate data or beacon via email, often bypassing proxy or content filters.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 76b818b7033f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0379Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.