NF – Outbound mail setup command HELO
This alert is triggered when an outbound email connection is made from the internal network, and the "HELO" command is used to initiate the SMTP conversation. This command is typically used in email setups but may indicate unauthorized outbound email activity, especially in restricted environments.
ID Number
5004014
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587] (msg:"NF - Outbound mail setup command HELO"; flow:from_client,established; content:"helo"; within:4; nocase; reference:url,networkforensic.dk; metadata:31102019; classtype:misc-activity; sid:5004014; rev:1;)
Severity
High
Recommendations/Investigative actions
Identify the device or application initiating the outbound email to confirm it is authorized.
Restrict or block the device’s access to send emails externally if it’s not part of the expected activity.
Check for repeated or unexpected outbound email attempts, which may indicate malware or data exfiltration.