Generic SMTP Credentials
Service Name: Simple Mail Transfer Protocol
Service Description: SMTP (Simple Mail Transfer Protocol) is the standard protocol for email transmission across the Internet. Generic SMTP credentials are used to authenticate with mail servers for sending emails from applications, services, or email clients.
Service Address: Varies depending on the email service provider (e.g., smtp.gmail.com, smtp.office365.com)
Validation Type: API Auth
IP Allow list: Many SMTP servers implement IP-based restrictions where only connections from whitelisted IP addresses are accepted.
Secret Access Scope: Grants ability to send emails through the configured SMTP server, potentially allowing an attacker to send emails that appear to come from your domain.
Secret Revokement URL: Varies by provider - typically managed through the email service provider's admin console
Secret Example: username:p@ssw0rd123! or in connection string format: smtp://username:p@ssw0rd123!@smtp.example.com:587
Suspicious Activity Investigation Instructions:
-
Review email server logs for unusual login activity or high volume of sent emails.
-
Check for emails sent from unexpected locations or IP addresses.
-
Monitor for unusual sending patterns or spikes in email volume.
-
Examine email content for unauthorized messages, phishing attempts, or spam.
-
Review authentication logs for failed login attempts or brute force attacks.
Mitigation Instructions:
-
Immediately change the SMTP password through your email service provider's admin console.
-
Implement or update IP restrictions to only allow connections from known, trusted IP addresses.
-
Enable multi-factor authentication if supported by your email service provider.
-
Review and update email sending policies and rate limits.
-
Consider implementing DMARC, SPF, and DKIM to prevent email spoofing.
-
Audit applications and services that use these credentials and update them with new credentials.
-
Consider implementing a secrets management solution to rotate credentials regularly.
-
Monitor email sending activity for any signs of continued unauthorized access.