Rare SMTP/S Session

Rare SMTP/S Session
Analytics alert indicates that a process performed a rare Simple Mail Transfer Protocol (SMTP/S) session to a remote endpoint and port.


10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Varies by activity (High, Medium, or Low).


A process performed a rare SMTP/S session to a remote endpoint and port. For additional context, this alert identifies the full command used to start the session and the total number of endpoints on which the command was run in the last 14 days.

Attacker's Goals

SMTP and its SSL-secured variant SMTPS are used to send email. Attackers can use SMTP/S to exfiltrate data from your network.

Recommended For You