T1505.002: Transport Agent
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.[2] Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.
Analyst context for executives and security teams
Transport Agent abuse is a persistence risk centered on server-side email processing. Because Exchange transport agents are legitimate extensibility components, a malicious or unauthorized agent can blend into normal mail infrastructure and be triggered by email events. For leaders, the concern is not just malware on a server; it is unauthorized code living inside a business-critical communications system that may affect confidentiality, incident scope, and recovery confidence.
Executive priority
Prioritize this where Microsoft Exchange or related mail transport infrastructure is business-critical. The key governance question is whether the organization can prove who is allowed to register transport agents, what agents are installed, whether they are trusted, and whether changes are audited. This technique is most relevant to resilience, privileged access control, compliance evidence for administrative activity, and incident response readiness around email infrastructure.
Technical view
ATT&CK maps this sub-technique to persistence on Windows and Linux and relates it to Server Software Component abuse. SOC and IR teams should validate visibility into Exchange transport agent inventory, registration or configuration changes, .NET assembly placement or modification, privileged administrative actions, and mail server process/module activity. Because the official ATT&CK object provides no native detection text, detection engineering should be based on baselining approved agents and alerting on unauthorized additions, unexpected code signing status, abnormal privileged changes, and suspicious behavior tied to mail processing events. Relationship context also points to DET0166 as a relevant detection strategy and to LightNeuron as software known by ATT&CK to use this behavior.
Likely telemetry
- Exchange transport agent inventory and configuration state
- Administrative command and change logs related to transport agents
- Privileged account authentication and activity on mail servers
- File creation, modification, and integrity monitoring for transport agent assemblies and related directories
- Code signing or trust metadata for installed assemblies
Detection direction
- Establish an allowlist of approved transport agents and alert on new, removed, disabled, re-enabled, or modified agents.
- Correlate transport agent changes with privileged account usage and approved change tickets to reduce false positives from legitimate administration.
- Validate whether installed assemblies are expected, signed where required, and consistent with known-good hashes or deployment sources.
- Monitor for unusual mail server file changes or module loads near administrative changes to transport configuration.
- Treat mail infrastructure as high-value server software: detection should combine configuration state, endpoint telemetry, and privileged access logs rather than relying on email logs alone.
Mitigation priorities
- Restrict who can administer Exchange transport agents using privileged account management, RBAC, least privilege, and accountable administrative workflows.
- Require auditing of transport agent configuration, privileged actions, and relevant file changes so responders can reconstruct when persistence was introduced.
- Use code signing or trusted software controls where applicable to reduce the chance that unauthorized assemblies can be loaded as legitimate components.
- Maintain an approved inventory of transport agents and include it in mail server build standards, vulnerability reviews, and incident response collection plans.
- Review mail server administrative access regularly, especially service accounts and accounts with rights to register or modify server components.
Analyst notes and limits
This object is narrowly about persistence through Microsoft Exchange transport agents, a sub-technique of Server Software Component. The supplied relationship data includes mitigations for Privileged Account Management, Code Signing, and Audit, plus a related detection strategy DET0166 and software S0395 LightNeuron. Practical defensive value depends heavily on local Exchange architecture, administrative practices, and whether configuration and endpoint telemetry are retained.
The official ATT&CK detection field is not provided, so detection guidance is inferred from the behavior description and supplied relationships rather than from explicit MITRE detection text. The supplied data does not support claims of current exploitation, customer exposure, guaranteed detection, or specific vendor tooling requirements.
Transport Agent
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.[2] Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1505 | Server Software Component | This object subtechnique of Server Software Component. |
Groups, software, and campaigns
S0395: LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ef161de9522c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft TransportAgent Jun 2016
Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.
Open source URL -
[2]
ESET LightNeuron May 2019
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
Open source URL -
[3]
mitre-attack T1505.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.