AN0382: Analytic 0382
Detects hosts transmitting large volumes of SMTP, IMAP, or POP3 traffic to external IPs or relays that aren't associated with the enterprise mail infrastructure.
Analyst context for executives and security teams
AN0382 is a network-device detection analytic for finding hosts that send unusually large volumes of SMTP, IMAP, or POP3 traffic to external destinations or mail relays outside approved enterprise mail infrastructure. For leaders, the value is not just “mail traffic monitoring”; it is a check on whether the organization can quickly identify unmanaged mail flows that may indicate policy bypass, compromised hosts, misconfigured systems, or gaps in egress control.
Executive priority
Prioritize this where email infrastructure is business-critical or tightly governed. Executives should ask whether all legitimate enterprise mail relays are documented, whether network teams can prove which hosts are allowed to send mail externally, and whether SOC teams receive enough network telemetry to distinguish approved mail operations from unexpected high-volume external mail traffic. This analytic can support resilience, incident triage, and compliance evidence around network monitoring and egress control, but it depends heavily on local asset and mail-infrastructure knowledge.
Technical view
Validate coverage on Network Devices by comparing outbound SMTP, IMAP, and POP3 traffic volume against an approved inventory of enterprise mail servers, gateways, and relays. Focus on hosts generating large volumes to external IPs or relays not associated with the enterprise mail infrastructure. Because no ATT&CK tactic or detailed detection logic is supplied, teams should define local baselines, approved relay lists, external destination criteria, and volume thresholds before operationalizing alerts.
Likely telemetry
- Network flow records from routers, firewalls, proxies, or other network devices
- Firewall or egress-control logs showing source host, destination IP, destination port, protocol, and byte/session counts
- Mail gateway or relay inventory used as an allowlist for approved enterprise mail infrastructure
- DNS or asset context to identify internal hosts and classify external destinations
- Time-series traffic volume metrics for SMTP, IMAP, and POP3 activity
Detection direction
- Confirm that network telemetry includes SMTP, IMAP, and POP3 traffic from internal hosts to external IPs or relays.
- Build or validate an authoritative list of approved enterprise mail infrastructure; the analytic’s value depends on knowing what is normal and sanctioned.
- Tune thresholds for “large volumes” by business unit, host role, and expected mail flow to reduce false positives from legitimate mail systems or migrations.
- Investigate hosts that are not mail servers but generate sustained or anomalous external mail-protocol traffic.
- Watch for blind spots where encrypted tunnels, incomplete flow logging, NAT aggregation, or missing asset ownership obscure the true source host.
Mitigation priorities
- Document and maintain the approved enterprise mail relay and gateway inventory.
- Restrict outbound mail-protocol traffic to authorized mail infrastructure where business requirements allow.
- Ensure network devices log sufficient egress traffic metadata for SOC review and incident response.
- Align alert handling with asset ownership so unexpected mail traffic can be rapidly traced to a responsible system or team.
- Periodically review exceptions for systems allowed to communicate with external mail services.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique description. Its practical use is strongest as a control-validation and anomaly-detection pattern around external mail-protocol traffic from network devices. Local environment context—approved relays, host roles, volume baselines, and egress policy—is required to make the analytic actionable.
The supplied ATT&CK fields provide no tactic, no detailed detection logic, no relationships, and no associated threat actor, malware, campaign, or technique context. The analytic supports Network Devices only as supplied. It should not be interpreted as proof of compromise or complete detection coverage without local telemetry and validation.
Analytic 0382
Detects hosts transmitting large volumes of SMTP, IMAP, or POP3 traffic to external IPs or relays that aren't associated with the enterprise mail infrastructure.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b85b4a8c994c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0382Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.