Email remains one of the most widely used communication systems in modern environments.
Organizations use email for:
- Communication
- Account registration
- Password resets
- Notifications
- Multi-factor authentication
- Business operations
As a result, email systems frequently become high-value targets.
Basic Email Flow
A typical email follows a path similar to:
Sender
↓
Mail Server
↓
Internet
↓
Recipient Mail Server
↓
Recipient
Unlike web applications, email delivery is often handled by multiple systems before reaching its final destination.
Common Email Protocols
SMTP
Simple Mail Transfer Protocol (SMTP) is used to send email.
Common ports:
25/tcp
587/tcp
465/tcp
SMTP is responsible for transferring messages between mail servers.
POP3
Post Office Protocol (POP3) downloads emails from a server to a client.
Common ports:
110/tcp
995/tcp (TLS)
POP3 is less common in modern environments.
IMAP
Internet Message Access Protocol (IMAP) allows clients to synchronize mailboxes.
Common ports:
143/tcp
993/tcp (TLS)
IMAP is widely used today because messages remain stored on the server.
Common Email Platforms
Organizations commonly use:
- Microsoft Exchange
- Microsoft 365
- Google Workspace
- Postfix
- Exim
- Sendmail
Why Email Matters
Email is often the center of identity management.
Control of a mailbox may provide access to:
- Password reset links
- MFA enrollment workflows
- Internal communications
- Sensitive documents
- Business processes
- Phishing attacks
Phishing
Phishing is one of the most common attack vectors.
A phishing attack attempts to convince a user to:
- Reveal credentials
- Execute software
- Visit a malicious website
- Approve an MFA request
Many real-world compromises begin with successful phishing. In some cases, threat actors become so successful at manipulating a particular user that they continue abusing that same individual to facilitate additional access throughout the intrusion.
I have personally heard incident responders describe situations where initial access into a large enterprise was obtained through a front-office employee. Simple requests such as:
"My manager is currently on holiday. Could you send this to another email, it is for their backup manager instead? (provides fake email)"
were sufficient to convince users to perform actions that furthered the intrusion.
Perhaps the most surprising aspect of these incidents is that even after security teams identified and isolated compromised hosts or accounts, the threat actor would often return to the same individual and simply obtain access again through additional social engineering.
For those who have not yet worked in the industry, stories like this may sound exaggerated or taken directly from a movie. In reality, experienced security professionals encounter similar scenarios far more frequently than many people would expect.
The lesson is simple: technical security controls are important, but people remain a critical part of the security boundary.
Email Attachments
Email attachments are frequently used to distribute:
- Documents
- Spreadsheets
- PDFs
- Archives
- Executables
Organizations often restrict certain attachment types due to abuse.
Operators should assume that email attachments are commonly inspected by security controls.
Email Authentication
Modern email systems use several mechanisms to verify sender legitimacy.
SPF
Sender Policy Framework (SPF)
Defines which servers are authorized to send email for a domain.
Example:
corp.local
may specify which mail servers are allowed to send messages on its behalf.
DKIM
DomainKeys Identified Mail (DKIM)
Uses cryptographic signatures to verify that an email was authorized by the sending domain and was not modified in transit.
DMARC
Domain-based Message Authentication, Reporting and Conformance (DMARC)
Defines how receiving mail servers should handle messages that fail SPF or DKIM validation.
Why Operators Care
Email infrastructure often reveals:
- Internal usernames
- Naming conventions
- Organizational structure
- Business relationships
- External vendors
- Sensitive communications
Email systems may also provide opportunities for:
- Initial access
- Credential theft
- Social engineering
- Internal reconnaissance
Security Controls
Modern email security commonly includes:
- SPF
- DKIM
- DMARC
- Attachment scanning
- URL rewriting
- Sandboxing
- Anti-spam filtering
- MFA
These controls attempt to reduce phishing and malware delivery risks.