When CERT-Wavestone is called, three priorities drive every action and decision making: containing the threat, understanding the attack and eradicating the attacker. To achieve these objectives, establishing visibility across the impacted perimeter is the critical first step.

In such contexts where speed and effectiveness are mandatory, CERT-Wavestone relies on many tools: cybersecurity solutions (EDR, SIEM, etc.), open-source collectors and parsers, and its own internally developed tools.

Among these, StormCell stands out as an open-source tool developed by CERT-Wavestone to automate Windows triage processing and free analysts’ time to focus on what truly matters: the investigation itself.

Contain. Understand. Eradicate. Every hour counts.

Increasingly effective attackers

Several cybersecurity incident response actors agree that certain types of cyberattacks, such as ransomware and data exfiltration attacks, are becoming increasingly fast paced. The charts published by Zero Day Clock (https://zerodayclock.com) illustrate this trend:

• A growing share of zero day vulnerabilities are being actively exploited each year, rising from 16% in 2018 to 71% in 2026,
• A decreasing time to exploit (TTE) for these vulnerabilities is noted, falling from several years in 2018 to less than one day in 2026.

This is also a commonly shared observation among Wavestone’s incident response team in its latest annual report (see: CERT-Wavestone annual report), which is based on a set of around twenty major incidents affecting Wavestone clients during 2025:

As a result, to contain and remediate incidents as early as possible our incident response team must be effective in its analysis and decision‑making. This requires an especially quick understanding of the context and of the incident.

The anatomy of a CERT-Wavestone investigation

Each CERT-Wavestone investigation typically begins with a limited scope before rapidly expanding to cover dozens of systems as the situation evolves:

• Stage 1 — Initial analysis: Once the perimeter is secured and initial containment measures are in place, CERT-Wavestone is engaged and assesses the situation on a handful of suspicious or confirmed compromised machines. If the client has a SOC or CERT, existing telemetry and detection tooling provide an immediate starting point. If not, CERT-Wavestone leverages available resources to perform initial forensic collections and outline an initial overview of the attack.
• Stage 2 — Broader investigation: As the killchain becomes clearer, the investigation expands to dozens of compromised machines. When the client’s infrastructure cannot support large-scale acquisitions, CERT-Wavestone deploys its own forensic collection tool to gather triage data efficiently.
• Stage 3 — IoC hunting across the entire IS: Indicators of compromise are established, and the search extends to the entire information system. If not already in place, EDR or alternative tools can be deployed by CERT-Wavestone. Large-scale IoC sweeps rely on the built-in capabilities of the EDR, SIEM or log collection platforms.

Whether on Stage 1 or Stage 2, each collection requires the same standardized pipeline: retrieval, parsing, ingestion, Indicator of Compromise (IoC) identification, and cross-collection correlation. Consequently, manual forensic processing consumes valuable time and effort, forcing analysts to handle routine data operations instead of focusing on investigations.

Handling each collection individually by each analyst is slow, prone to errors and discrepancies, and poorly scales to the number of machines to investigate, and the number of analysts mobilized on the incident.

This is precisely the problem that StormCell, a tool developed by the CERT-W, was designed to solve.

StormCell : what is it ?

StormCell is a tool developed by CERT-Wavestone to address a long-standing need: a Windows forensic analysis orchestrator that adapts to multiple investigation contexts, automates the end-to-end processing of triage data from artifact extraction to centralized ingestion into a SIEM platform, and frees analysts to focus on the investigation, not the pipeline.

Developed in Python to make it easy to use, the tool was recently published on GitHub so that the entire incident response community can access it as open source: https://github.com/CERT-W/StormCell. CERT‑Wavestone intends for this tool to be used, tested, and improved directly by the community.

Although other similar tools have been developed and released since the beginning of its development, StormCell stands out through its modularity and its underlying technology choices, both geared towards speed and adaptability.

Three key stages : ingest, process and enrich, centralize

StormCell’s workflow is based on three key stages:

To properly perform those steps, StormCell relies on several third-party tools : whether it is for artifacts collection with Kape, enrichment and ingestion of logs into a SIEM with Vector or SIEM built-in functionalities with Splunk or ELK.

Despite these dependencies, the tool only needs to be installed and configured once on a single workstation before it can be used throughout the incident response by all analysts.

Extract and Ingest

StormCell is designed to work with two types of forensics collections: disk images and artifact ZIP extracts produced by Kape.

When StormCell is run against a disk image, it directly uses Kape to extract the relevant artifacts.

Compatible ZIP archives can also be generated with the CERT‑Wavestone tool CollectRaptor, which is based on Velociraptor, or with any other collection performed using the Velociraptor KapeTarget module.

Process and Enrich

Once raw artifacts are extracted, the core of the processing chain comes into play: the artifacts are processed with Kape.

Kape is used because it is a tool dedicated to Windows forensics artifacts parsing. It allows, through modules, to automatically execute several tools such as the Zimmerman Suite, Hayabusa or even Chainsaw. Moreover, logs parsed by Kape are directly organized on the filesystem by artifact category (executions, filesystem, registries, etc.) allowing to perform efficient local and manual analysis whenever necessary.

As a whole, StormCell uses Kape to run more than thirty artifact‑processing tools, each covering a complementary analysis scope and ensuring a high level of exhaustiveness for the elements available to analysts.

All these tools can be easily downloaded through the StormCell installation command described in its Readme. StormCell’s modular configuration also makes it simple to integrate new artifact‑processing tools as needed.

Centralize

Once the artifacts have been parsed by Kape, the generated logs are normalized, enriched, and sent to a SIEM platform through Vector, an open‑source tool particularly well‑suited to handling large volumes of data.

To determine which artifacts to send, as well as the normalizations and enrichments to apply, Vector relies on its TOML configuration files. These files include parsers that structure raw data into meaningful fields, and sinks (output destinations) that route events to the target environment, whether a client’s ELK or Splunk instance, or an internal ELK instance dedicated to CERT‑Wavestone.

To retrieve these configurations, StormCell uses the configuration files from the GitHub repository Vector4IR whose CERT‑Wavestone is a contributor.

A major time-saver for analysts

By chaining these three stages together, each forensic collection only needs to be processed once before it becomes available in the SIEM for all analysts. This makes it possible to carry out global investigations while fully leveraging the built‑in capabilities of SIEM technologies: search languages, dashboards and saved searches, lookups and data tables, correlation features, and so on.

The retrieval of collections and their handling with StormCell can be handled by a single analyst, while the others can already begin investigating in real time as the logs are being sent.

StormCell execution modes

According to the setup and configuration details provided in the Readme of the Github repository, a dedicated setup command can be used to download all the tools required for StormCell to properly operate. In addition, numerous options, described in the default configuration file and the help command, are available to accommodate different execution requirements.

For example, it is possible to specify which Kape modules should run, or to force a fresh processing and re‑ingestion of logs. Because StormCell uses a local database file to maintain state across successive executions, its behavior can be completely reset by removing this database.

Finally, StormCell offers three complementary execution modes, designed to adapt to every investigation context, from small scopes to large‑scale crises, and to let analysts be operational as quickly as possible, regardless of the types of resources available to them.

Once mode: small scopes and need for rapid investigation

Designed specifically for targeted investigations on a limited scope, this mode handles a set of preexisting collections in a single execution.

After an initial configuration by the analysts, the tool executes and enables the analysis of the collections without any additional steps.

Mountpoint mode: local collect and analysis in a single command

Mountpoint is StormCell’s end‑to‑end execution mode: from collecting artifacts on a disk or a locally mounted forensic copy all the way to sending them into the SIEM.

This mode is preferred when analyzing disk copies, and it natively includes artifact extraction through Kape’s built‑in capabilities. Once the extraction is complete, its behavior is similar to the Once mode.

Loop mode : Continuous processing for large‑scale investigations

CERT-Wavestone’s preferred mode, it is designed for large‑scale crises and aims to enable StormCell to run continuously throughout the incident. Once configured, the tool monitors a designated folder and automatically processes all collections placed there by the analysts.

This centralized drop‑off folder becomes the logistical core of the investigation: once it is set up, analysts no longer need to worry about processing collections, whether the incident lasts a few days or several weeks, and can simply deposit the triage images then access the processed data in the SIEM platform being used.

Finally, two levels of artifact processing can be configured to best match analysts’ needs when investigations are carried out on new machines:

• Short: a lightweight treatment prioritizing speed, suited to surface‑level analyses that quickly assess a machine and help prioritize investigations.
• Long: an exhaustive treatment that activates in‑depth analysis modules, intended for detailed investigations requiring a full view of the machine’s activity.

The modules to be executed in both modes can be freely configured by the analyst using StormCell. These two complementary modes make it possible to deposit archives initially into the Short folder to obtain a quick but non-exhaustive list of artifacts, then later in the investigations, deposit them into the Long folder to obtain an exhaustive list of artifacts.

StormCell : What’s next ?

StormCell is currently a key tool frequently used within CERT‑Wavestone to accelerate the processing of Windows artifacts during its investigations.

Its orchestration capabilities are planned to be extended to investigations on Cloud environments, particularly M365, as well as Linux and macOS, while also exploring the integration of new forensic sources and advanced technologies such as the use of AI.

That’s why CERT‑Wavestone invites you to contribute to its evolution: forks, pull requests, and feedback from your operational experience are welcome, so that StormCell can become the most suitable tool possible for incident response needs.

Cet article StormCell: How our blue team scales up incident response est apparu en premier sur RiskInsight.

Investigating in a Zimbra Environment

Now that Zimbra’s infrastructure and logs hold no secrets for you, it’s time to get practical.

Imagine you’re a forensic analyst, arriving early one morning, when suddenly: the phone rings. You’re being called because several users are reporting that emails, they didn’t send are appearing in their “Sent” folder.

Panic ensues! Users are afraid to log into their mailboxes, and some administrators start wondering whether the Zimbra infrastructure itself might be compromised.

Since you know Zimbra inside out, the team naturally turns to you to investigate this incident!

As a forensic analyst, many questions come to mind:

• Have the accounts really been compromised? If so, how and since when?
• How many users are affected?
• What is the attacker’s objective, and what malicious actions have been carried out from these accounts?
• Have the mail server or other Zimbra components been compromised?
• And, most importantly: do I have time for a coffee before the information hunt begins?

To help you in your investigation, we’ll look at how to answer these questions through Zimbra log analysis. But first, here are some tips to guide your investigation.

During incident response, it’s easy to feel overwhelmed by the amount of logs and events to analyze. Keeping a clear line of reasoning is essential. A few simple practices can help maintain focus:

• Confirm: Verify the information that triggered the incident. Before diving deeper, ensure the initial alert is accurate. This undeniable baseline will serve as the foundation for the entire investigation.
• Correlate: Cross-check suspicious IP addresses and domains with other sources (proxy, VPN, EDR, online antivirus databases). This provides additional context related to the identified indicator.
• Pivot: Use the collected information to expand your analysis. An attacker might reuse the same IP address or user-agent across multiple accounts. Conversely, a compromised account might be accessed from different IP addresses or user-agents. Pivoting can reveal other indicators that help identify the attacker.
• Compare patterns: Even without direct access to email content or attachments, certain elements can reveal similarities (file size, identical filenames, repeated sequences of actions after account compromise). This behavioral analysis approach can help identify multiple users compromised by the same attacker. Such hypotheses should be formulated and handled cautiously, but they can be valuable for confirming intuition.
• Ensure log preservation: This may seem obvious, but as soon as an incident is detected, securing the logs is critical. Collect logs immediately from the entire Zimbra infrastructure and extend their retention period to prevent automatic deletion. Because let’s be honest: logs disappearing just as the forensic team arrives is a way too common scenario… one you definitely want to avoid.

While these tips aren’t exhaustive, they provide a solid foundation for conducting an analysis that is both fast and efficient.

Post-compromise activity

Analysis of user activity  

What mastery! You have successfully traced back to the initial entry point used by the attacker to compromise user accounts. You have identified the malicious IP addresses, spotted the User-Agent used, and even uncovered other compromised accounts thanks to this information. In short, clean and efficient work. Impressive!

But… we still haven’t answered a crucial question: “What was the attacker’s objective, and what actions did they take from the compromised accounts?“

To find out, you now need to analyze the attacker’s activity within the Zimbra infrastructure. Once authenticated, an attacker can indeed:

• Launch an internal or external phishing campaign
• Send messages aimed at tricking a colleague, partner, or client into taking action (CEO fraud, fictitious urgent requests, etc.)
• Exfiltrate sensitive data from mailboxes

In this section, we will examine some examples of suspicious activities that can be identified from Zimbra logs.

Sending a large number of emails in a short amount of time

You want to determine whether compromised accounts were used to conduct additional phishing attempts by sending mass emails to internal or external recipients. Unfortunately, Zimbra does not provide a native event that allows you to retrieve this information directly. However, a simple grep command will get the job done.

The command below extracts the number of messages sent by each user over a specific period (here, from November 21 to November 27, 2025):

In this example, user25@wavestone.corp clearly stands out with a sending volume far above normal. An unusually high volume of emails sent from a mailbox over a short period constitutes suspicious activity.

In legitimate use, mass email sending is relatively rare and is generally associated with generic addresses or internal communication systems (e.g., newsletters, HR announcements). When a standard user account exhibits this type of behavior, it is important to:

• Determine whether this is normal, recurring activity for the user
• Check the sending time frame, IP address, and User-Agent
• Verify whether any suspicious attachments were associated with the emails

Mass email sending can trigger built-in protection mechanisms in Zimbra, including quota rules. These thresholds are designed to limit the volume of messages sent by an account over a given period to prevent abuse, spam, or phishing campaigns.

The two commands below allow you to retrieve events related to quota exceedances:

The appearance of error messages related to quota exceedances is a signal not to be ignored, because:

• Either the legitimate user accidentally exceeded a quota
• Or the account is being used fraudulently to send mass emails

Since this indicator can generate a large number of false positives, it is recommended to correlate it with other information in order to draw meaningful conclusions.

Sending an email to a large number of recipients

To avoid triggering a quota‑exceedance alert, a more seasoned attacker may adopt a more “subtle” strategy. Instead of sending dozens of individual emails (a noisy method), they may choose to send a single message addressed to a long list of recipients: an efficient way to optimize their phishing campaign.

Fortunately for you, Zimbra logs make it possible to identify the number of recipients associated with each sent email, which makes this type of maneuver detectable without too much effort.

The commands below allow you to identify emails sent to an unusually high number of recipients:

Here, you can observe that the user user25@wavestone.corp sent an email to 211 recipients. Such behavior is clearly suspicious.

In practice, it is rare for a personal email address to send a message to several dozen recipients simultaneously. This type of volume is usually associated with shared mailboxes or generic addresses (e.g., internal communications, HR services, institutional announcements).

When a standard user account exhibits this kind of activity, it is essential to:

• identify the usual communication practices within the organization
• determine whether this sending volume is normal or recurrent for the user in question
• examine the time window, IP address, and user agent used during the sending
• check if any potentially malicious attachments were associated with the messages

To save time, it is often relevant to confirm directly with the user whether the sending was legitimate.

The example presented here isolates sends containing more than 100 recipients. However, this threshold should be adjusted depending on:

• the usual volume within the organization
• the type of accounts involved
• and the period covered by the logs analyzed

Uploading suspicious attachments

Unlike email reception, the upload of suspicious attachments is better logged by Zimbra. Each time a user attaches a file to a new email, Zimbra carefully records the operation in its logs.

Using the commands below, you can retrieve the attachments added to emails by a potentially compromised user:

Similarly to the reception of malicious attachments, you can search in the logs for:

• the upload of attachments with suspicious extensions (e.g., .htm, .html, .exe, .js, .arj, .iso, .bat, .ps1, or Office/PDF documents containing macros);
• files already observed earlier during the initial phases of the incident (for example, a document downloaded by patient zero);
• correlating upload activities with malicious source IP addresses or accounts identified as compromised.

This list is not exhaustive; it may be relevant to search for any type of file that seems pertinent to the context of your investigation.

Removal of traces

Now that you have a clear picture of what the attacker did with the compromised accounts, you are disappointed because you cannot locate the emails in question. You suspect that the attacker erased its traces. But how can you verify this?

Indeed, after sending malicious emails, an experienced attacker may try to hide its tracks from the legitimate mailbox owner by deleting sent emails or returned messages.

Fortunately, the following commands will allow you to identify email deletions performed in Zimbra:

In legitimate use, it is not uncommon for a user to delete multiple emails (e.g., inbox cleanup, managing newsletters). However, the situation becomes suspicious when deletions occur:

• Immediately after a mass email sending
• Targeting specifically the most recently sent messages

During your investigation, keep in mind that an attacker may also attempt to delete:

• Read receipts generated by their emails
• Automatic replies (out-of-office messages, NDRs) that could alert the victim

It is therefore important not to overlook deletions and to correlate them with other indicators (suspicious authentications, mass email sending, quota exceedances, connections from malicious IPs) to assess the legitimacy of these actions.

Data exfiltration

One question still troubles you… Among the compromised accounts, some belonged to users who handled sensitive data for the company. You therefore want to determine whether the attacker attempted to exfiltrate any email they had access to.

Unfortunately for you, Zimbra does not log the direct download of emails. After all, retrieving messages via IMAP or SMTP is essentially a “download” from the server to the mail client. It is therefore difficult to distinguish a normal transfer from a malicious download. And in the Nginx logs (which expose the webmail), the same issue arises: it is impossible to precisely identify whether an email was downloaded.

As a small consolation, Zimbra does log certain internal operations, particularly copy actions performed within the mailbox. An attacker could, for example, create a folder to store sensitive emails before extraction.

The following command allows you to identify a massive copy of emails into a folder (here named “Exfiltration“) from the web client:

The following command allows you to identify a copy of a large number of emails in a folder from an IMAP thick client:

Although there are legitimate cases (e.g., manual backup by the user), this type of activity should raise attention, especially when correlated with:

• Logins from unusual IP addresses
• Suspicious authentications
• Mass email sending

However, as you can see, it is very difficult to confirm a data exfiltration. Therefore, it should be assumed that if a mailbox is compromised, the attacker potentially had the ability to download all emails of the affected user.

Detection of antivirus and antispam solutions

We haven’t really covered this until now, but it’s important to know that Zimbra natively integrates Amavis, a “central” component that orchestrates various security engines. These engines help identify suspicious files, phishing campaigns, and mass spam sending. It is therefore valuable to leverage these detection mechanisms when analyzing an attacker’s activities.

During your investigations, examining the messages generated by Amavis can help highlight:

• Messages blocked before reaching the user’s mailbox (e.g., spoofing attempts)
• Malicious attachments detected and placed in quarantine
• Violations of certain security policies defined on the platform

Amavis

It is possible to retrieve certain events generated by Amavis with the following commands:

Since Amavis generates a large number of events, it may be wise to focus your investigation on detections related to spam and phishing. Note that the identification of phishing messages has already been discussed in a previous section of this article (“Account Compromise via Phishing Attack“)

Incoming spam

It may be useful to identify messages that have triggered incoming spam detections. When a message is classified as spam, Zimbra generates logs indicating the reason for this categorization.

These events can contain several useful pieces of information:

• The affected account
• The unique identifier of the message in the mailbox
• The originating IP address of the email
• Additionally, in the case of a SpamReport:
  • The result of the analysis (isSpam field)
  • The action taken (e.g., moving the message from the Inbox to Junk)
  • Sometimes the recipient of the report used for training or reporting purposes (e.g., a dedicated address such as spam@wavestone.corp

The following command can help you identify events related to the processing of incoming spam:

Since spam detections generate a large number of false positives, it may be useful to narrow the scope of your investigation as much as possible (for example, by focusing on a specific time period or a specific set of users).

Outgoing spam

The threat does not always come from outside. Some malicious emails sent from compromised internal accounts to external recipients can leave very interesting traces in Zimbra’s logs. Indeed, if the message sent from the compromised account is blocked by the recipient mail server’s antispam solution, that server will send an error notification back to the Zimbra server to report the rejection.

Analyzing these non-delivery reports (NDRs) can therefore raise a red flag:
it may reveal that a user is compromised… or that an account has been used in an attempt to send malicious emails.

It is possible to extract these rejected messages using the following command:

Outgoing spam is generally rare. Analyzing it only becomes truly useful in cases where the attacker attempts to lateralize to external email accounts.

Remediation measures

You have conducted your investigation at full speed: compromised users identified, malicious IP addresses cataloged, suspicious activities analyzed… in short, you have traced the attack with surgical precision. It is now time to move to the next step: remediation.

The primary goal of remediation is to remove the attacker’s access to the infrastructure, implement detection mechanisms capable of preventing further compromise attempts, and strengthen user awareness to limit the impact of ongoing and future phishing campaigns.

By collecting various indicators related to the phishing campaign (compromised or suspected accounts, email addresses, malicious IPs and domains, etc.), it is recommended to implement a series of corrective and preventive actions (non-exhaustive):

• Reset passwords for suspected accounts: For any user who has been compromised or is suspected of being compromised, a password reset is required.
• Block malicious domains, IP addresses, and email addresses: Infrastructure elements used by the attacker (domains, IPs, senders) should be blocked using available network solutions (proxy, firewall, mail filters) as soon as they are detected. This will limit the risk of further propagation.
• Perform antivirus/EDR scans on compromised user workstations: Workstations of compromised users should undergo antivirus or EDR analysis to:
  • Detect and remove any potential malicious files
  • Ensure that phishing-related files are no longer present on the workstation
• Strengthen user awareness: Communication about ongoing phishing campaigns should be sent to users to prevent further compromise. Regular phishing awareness campaigns are strongly recommended, particularly for users who have already been compromised.
• Implement multi-factor authentication (MFA) for Zimbra mail access: Deploying a second authentication factor is highly recommended to secure mailbox access. While MFA can be perceived as inconvenient, using a Single Sign-On (SSO) with unified MFA can reduce friction while strengthening overall authentication security.
• Deploy a specialized phishing detection and filtering solution: It is recommended to install a specialized solution in detecting malicious activity in email environments. The solution should be able to identify:
  • Logins from unusual IP addresses
  • Brute-force attempts on user accounts
  • Mass email sending to numerous recipients
  • Use of suspicious attachments or links to untrusted domains
  • Active phishing campaigns (e.g., identified by a CTI service)
• Ensure Zimbra log retention: It is important to secure the collection and retention of logs. It is recommended to centralize logs from the entire Zimbra infrastructure on a server external to that infrastructure. This ensures that even in the event of compromise, modification, or encryption of Zimbra servers, logs remain intact and accessible, allowing reliable forensic investigations.

Although non-exhaustive, these remediation measures will help restore confidence in your Zimbra infrastructure and user accounts. Continuous monitoring and improvement of the security posture will, however, be necessary to adapt to future threats.

At the end of this little investigation, one thing is certain: while the attacker can choose the easiest path, the forensic analyst doesn’t have that luxury. Between scattered (or sometimes missing) logs, conflicting user testimonials, and limited visibility into certain Zimbra events, conducting an investigation can sometimes feel like solving a Rubik’s Cube… in the dark… with mittens on.

But with a solid methodology and a few good habits, Zimbra can reveal far more information than it might seem at first glance. Its logs are a real goldmine, provided you don’t get lost in them.

Ultimately, this article does not aim to turn every reader into a Jedi master of Zimbra forensics… but if it can save you two days of trying to decode Zimbra logs or hunt down the useful information, then the goal has been achieved!

And as is often said, in cybersecurity as elsewhere, prevention is better than cure. So harden your Zimbra infrastructure, back up your logs, raise user awareness… and above all, don’t be short on coffee supplies!

Sources

• https://wiki.zimbra.com/wiki/Log_Files
• https://wiki.zimbra.com/wiki/Troubleshooting_Course_Content_Rough_Drafts-Zimbra_Architecture_Component_Overview
• https://wiki.zimbra.com/wiki/Trouble_Shooting_Spam_Score_Changes

Cet article Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) est apparu en premier sur RiskInsight.

In most companies, webmail access portals are exposed on the internet and do not always benefit from sufficient access-control mechanisms. In addition, some messaging services offer extended features that go beyond simple email consultation, such as file sharing or access to collaborative applications.

Poorly secured messaging services therefore represent prime targets for attackers. Compromising a mailbox can then be used to launch phishing campaigns, access sensitive data, carry out fraud attempts, or even gain access to other services.

At CERT-W, we regularly deal with this type of compromise. In particular, several of our investigations in 2025 involved the compromise of Zimbra email accounts, a solution used by many public and private organizations. Faced with these incidents, we noticed a clear lack of forensic documentation specific to Zimbra infrastructures.

This article is therefore our modest contribution to filling this gap. We share a pragmatic approach and a few tips to help you save time when analyzing this type of environment, as well as some remediation measures.

The Zimbra Infrastructure

If you’re not familiar with Zimbra infrastructures, don’t worry: this section is for you! For the more experienced readers, feel free to jump straight to the investigation section (we won’t hold it against you).

The architecture

Zimbra isn’t just “another mail server“. It’s a complete open-source collaborative suite that brings together several useful components:

• A mail server: the core of the system.
• A calendar, contacts, and task manager: so you never forget that 9 AM meeting.
• A web client: accessible from any browser.
• Additional services: antispam, antivirus, mobile synchronization, and more.

But like any infrastructure used by hundreds (or even thousands) of users simultaneously, sizing and performance quickly become important topics. That’s why Zimbra can be deployed in two different ways:

• Monolithic mode: everything on a single server (simple and effective… up to a point).
• Distributed mode: multiple servers, each with a specific role, to better handle load, availability, and maintenance.

In simplified form, a distributed Zimbra infrastructure looks like this:

Although the architecture may vary, the following components are usually present:

• Proxy Server: the entry point for Web, IMAP/POP, and ActiveSync clients. Logs generated at this level provide visibility into user connections (IP addresses, user agents, timestamps, etc.).
• Web Client Server (Mailboxd UI): hosts the Webmail interface used by users to access their mailbox through a browser.
• Mailbox Server (Mailboxd): hosts user mailboxes and manages messages, folders, and calendars. This component generates the richest logs (e.g., mailbox.log, audit.log, sync.log).
• MTA Server (Message Transfer Agent): receives emails via SMTP and delivers them to the appropriate Zimbra mailbox server using the LMTP (Local Mail Transfer Protocol).

The Zimbra MTA relies on several complementary services:

• Postfix MTA: handles message routing, relaying, and filtering (including attachments).
• ClamAV: antivirus engine responsible for scanning messages and attachments.
• SpamAssassin and DSPAM: spam filters that use various mechanisms to identify unwanted emails.
• Amavis: the orchestrator that runs the configured antivirus and antispam engines, then applies processing policies to incoming messages.

The MTA server plays a key role in the Zimbra infrastructure. This is where most of the security checks applied to incoming emails are performed. The diagram below illustrates the main stages of this analysis workflow:

In the process of receiving an incoming email, the message is first handled by Postfix, which then forwards it to Amavis for analysis. Amavis invokes the various configured analysis engines and submits the email to each of them to collect their results. Based on the defined policies, Amavis returns a verdict to Postfix: deliver the message, block it, or move it to a specific folder.

Zimbra logs

Now that you’re practically a Zimbra architecture expert (or almost ), you’ve probably noticed that many services are required to handle users’ email sending and receiving. The good news is that each of these services generates its own logs, providing significant visibility into the activity of the mail infrastructure. And for us forensic analysts, that’s excellent news: we love logs!

Studying the logs generated by Zimbra allows us to reconstruct the timeline of a compromise, identify compromised mailboxes, spot malicious attachments, and even detect potential internal relays.

This wealth of information is made possible thanks to logs, which are mainly located in:

• /opt/zimbra/log/mailbox.log: main log of user activities (authentications, sending/receiving emails, managing mails, folders, contacts, calendars, etc.).
• /opt/zimbra/log/access_log: Webmail access log (IP addresses, user agents, visited URLs).
• /opt/zimbra/log/audit.log: authentication traces (successes, failures, mechanisms used).
• /opt/zimbra/log/sync.log: mobile synchronization traces (ActiveSync/EAS).
• /opt/zimbra/log/convertd.log: file conversion traces (Webmail previews, indexing).
• /opt/zimbra/log/clamd.log | /opt/zimbra/log/freshclam.log: ClamAV antivirus activity.
• /opt/zimbra/log/spamtrain.log: traces of user-initiated antispam training.
• /opt/zimbra/log/cbpolicyd.log: Postfix policy enforcement (quotas, anti-relay, restrictions).
• /var/log/mail.log: system Postfix logs (SMTP, LMTP, Amavis).
• /var/log/nginx.access.log | /var/log/nginx.log: Nginx web server logs (useful for contextualizing web sessions).

Unfortunately, in a distributed Zimbra architecture, logs are not centralized. In other words, to get a complete picture of an incident, an analyst often needs to collect logs from each node: proxy, mailstore, MTA, or any other peripheral server. Yes, it requires a bit of gymnastics (and patience).

As we mentioned, the wealth of Zimbra logs is a real goldmine for investigations… but, like any mine, you need to dig methodically, or you’ll quickly find yourself buried under tons of log lines. Some effort in sorting and correlating data is therefore necessary to extract relevant information.

And despite their undeniable usefulness, Zimbra logs have some notable limitations:

• No access to the full content of emails or their attachments.
• Email subjects are rarely available, except when intercepted by antispam or antivirus modules.
• No native visibility into the creation of forwarding rules.
• Rapid rotation of verbose logs (like log), which limits the analysis time window if logs are not centralized.

Investigating in a Zimbra Environment

Now that Zimbra’s infrastructure and logs hold no secrets for you, it’s time to get practical.

Imagine you’re a forensic analyst, arriving early one morning, when suddenly: the phone rings. You’re being called because several users are reporting that emails, they didn’t send are appearing in their “Sent” folder.

Panic ensues! Users are afraid to log into their mailboxes, and some administrators start wondering whether the Zimbra infrastructure itself might be compromised.

Since you know Zimbra inside out, the team naturally turns to you to investigate this incident!

As a forensic analyst, many questions come to mind:

• Have the accounts really been compromised? If so, how and since when?
• How many users are affected?
• What is the attacker’s objective, and what malicious actions have been carried out from these accounts?
• Have the mail server or other Zimbra components been compromised?
• And, most importantly: do I have time for a coffee before the information hunt begins?

To help you in your investigation, we’ll look at how to answer these questions through Zimbra log analysis. But first, here are some tips to guide your investigation.

During incident response, it’s easy to feel overwhelmed by the amount of logs and events to analyze. Keeping a clear line of reasoning is essential. A few simple practices can help maintain focus:

• Confirm: Verify the information that triggered the incident. Before diving deeper, ensure the initial alert is accurate. This undeniable baseline will serve as the foundation for the entire investigation.
• Correlate: Cross-check suspicious IP addresses and domains with other sources (proxy, VPN, EDR, online antivirus databases). This provides additional context related to the identified indicator.
• Pivot: Use the collected information to expand your analysis. An attacker might reuse the same IP address or user-agent across multiple accounts. Conversely, a compromised account might be accessed from different IP addresses or user-agents. Pivoting can reveal other indicators that help identify the attacker.
• Compare patterns: Even without direct access to email content or attachments, certain elements can reveal similarities (file size, identical filenames, repeated sequences of actions after account compromise). This behavioral analysis approach can help identify multiple users compromised by the same attacker. Such hypotheses should be formulated and handled cautiously, but they can be valuable for confirming intuition.
• Ensure log preservation: This may seem obvious, but as soon as an incident is detected, securing the logs is critical. Collect logs immediately from the entire Zimbra infrastructure and extend their retention period to prevent automatic deletion. Because let’s be honest: logs disappearing just as the forensic team arrives is a way too common scenario… one you definitely want to avoid.

While these tips aren’t exhaustive, they provide a solid foundation for conducting an analysis that is both fast and efficient.

Compromise and initial access

The spoofing trap

You are not fooled! You know that sometimes one might believe the attacker is already inside the system, when in reality, they are still outside (fake it until you make it). Especially when multiple users start reporting concerning incidents, such as:

• “I received an email from so-and-so, yet they claim they never sent it.“
• “I received an email from my own address, which makes no sense!“

But your experience pushes you to verify that the current confusion is not simply the result of… a spoofing attack.

Indeed, spoofing is a relatively simple identity impersonation attack used by malicious actors to falsify email header information (e.g. sender address) in order to deceive a victim. Spoofing allows an email to be sent while pretending to be from a legitimate sender (for example, an internal user of the company or the recipient themselves), when in reality the email comes from an infrastructure that has no authorization to use that email address.

The goal is to gain the recipient’s trust to prompt them to take an action (click a link, open an attachment, provide credentials, etc.) or bypass filtering mechanisms.

Mechanisms such as SPF, DKIM, and DMARC were designed to reduce the risks associated with spoofing by allowing verification of the sender domain and server authenticity.

More specifically, the Sender Policy Framework (SPF) is an email security mechanism that allows verification that the sending server of a message is indeed authorized to send emails on behalf of the domain indicated in the sender’s address. The steps of an SPF check are illustrated below:

Concretely, the domain owner publishes in the DNS records a list of IP addresses authorized to send emails on behalf of their domain. When a mail server receives an email, it can compare the sender’s IP address to this list and determine whether the message is legitimate or potentially fraudulent.

An SPF check failure indicates that the email was sent from a server not authorized by the sender’s domain. This serves as an indicator for identifying potential spoofing attempts.

In Zimbra logs, SPF check failures can be identified using the following command:

In above example, we can see that the message sent from attacker@microsoft.com to user25@wavestone.corp does not pass SPF validation (SPF_FAIL). The “Yes” field indicates that it is classified as spam. Since its score (9.172) exceeds the required threshold (4), this message will therefore not be delivered to its recipient.

However, you should not place blind trust in the antispam engine! Some emails that fail SPF checks may still be delivered. To extract only these messages, you can use the following command:

In the example below, the message fails the SPF check, but its score is negative (-2.06) and below the spam threshold (4). It is therefore considered legitimate and delivered to the recipient despite the SPF failure.

As you can see, Zimbra logs make it possible to quickly identify senders responsible for spoofing attacks. Detecting a spoofing case early in the investigation helps to quickly reduce concerns and restore a certain level of trust in the Zimbra infrastructure.

Analysis of the attacker’s initial access

Once you have confirmed that you are not dealing with a spoofing attack, it means the attacker has, in one way or another, succeeded in compromising an account or a component of the infrastructure. The first step of your investigation will be to identify the attacker’s initial point of entry. This means finding the answers to the questions “Where?”, “When?”, and “How?”. But when it comes to compromising a mailbox, several approaches are possible…

Account compromise through password brute‑forcing

One path you can explore is the possibility that the attacker attempted to compromise certain accounts through a brute‑force attack.

To do this, simply examine authentication failures in the Zimbra logs:

In the events above, we can see authentication attempts coming from the IP address 100.100.4.111 that failed for the account user25@wavestone.corp.

A large number of unsuccessful login attempts over a short period, from the same IP address or targeting the same account, is indicative of a brute‑force attempt.

An excessive number of authentication failures can also trigger automatic account lockout by Zimbra:

From a forensic perspective, the appearance of such an event in the logs may suggest that an account was potentially targeted.

Once the brute‑force attempt has been identified, it is possible to check when the attacker may have used the compromised account by analyzing the successful logins associated with that user:

Additionally, if you have identified the attacker’s IP address, you can find all successful connections from that address using the following commands:

Once malicious connections have been identified, it is necessary to analyze the account activity following these accesses in order to identify the actions performed by the attacker.

Account compromise through phishing attacks

If no brute‑force attempts have been identified, another common initial compromise vector is the way too familiar: phishing attack! In this case, the attack does not target the Zimbra infrastructure directly: the user first receives an email prompting them to visit a fraudulent page or open a malicious file. Only after clicking does the damage occur (such as credential or session token theft).

In this scenario, you should, if possible, retrieve the malicious email from the user’s mailbox for analysis. If you can obtain it, here are the key pieces of information to collect:

• Date and time of receipt
• Subject of the email
• Sender (From)
• Recipients (To, Cc)
• Reply addresses (Reply-To, Return-Path)
• IP address of the originating sending server
• Names of attachments (if any)
• Results of SPF, DKIM, and DMARC checks
• Identified phishing URLs (if present)

These elements will help reconstruct the attacker’s methodology, provide initial guidance for your investigation and define first remediation measures.

Unfortunately, if you do not have direct access to the user’s mailbox, you will need to rely primarily on Zimbra logs, specifically the events generated by Amavis when analyzing incoming emails.

Suppose you want to identify malicious attachments sent by an attacker to users. Zimbra logs are very useful in this case, as they allow you to track the files that were analyzed and extract information such as their name, size, type, and fingerprint (SHA1).

The following command allows you to identify attachments processed by Amavis during the analysis of incoming messages:

The result above shows that the file Evil.htm was analyzed by Amavis. Several useful pieces of information can be found:

• Date and time: November 12 at 11:15
• SHA‑1 signature of the file: 9d57b71f9f758a27ccd680f701317574174e82d8
• Size: 22,111 bytes
• Content-Type: text/html
• Amavis session ID associated with this analysis: 4384125-19

However, on their own, these elements do not allow you to determine which users received this attachment or who the sender was. To obtain this information, a second command must be executed to retrieve all traces associated with this Amavis session:

From this information, you can now deduce that attacker@example.com sent the file Evil.htm (22,111 bytes) to user25@wavestone.corp on November 12 at 11:15, and that its SHA‑1 signature is 9d57b71f9f758a27ccd680f701317574174e82d8. Not bad, right?

During your investigation, you can further filter the output of these commands to identify:

• Attachments with suspicious extensions (e.g., *.htm, *.html, *.exe, *.js, *.arj, *.iso, *.bat, .ps1, or Office/PDF documents containing macros)
• Files previously observed during the early stages of the incident (for example, a file downloaded by patient zero)

During a phishing campaign involving the delivery of a malicious file, attackers often tend to distribute the same file to multiple users. It is therefore possible to rely on statistical analysis to highlight abnormal values.

The following command allows you to identify identical files present in several incoming emails:

The command above allows you to retrieve, for each attachment in emails received by Zimbra, the number of times it has been observed in other emails, based on its name and SHA‑1 signature.

In this example, the file Evil.htm appears in 40 emails, which, combined with its .htm extension, makes it particularly suspicious. It would therefore be relevant to attempt to retrieve this file from the affected users to verify its legitimacy.

If the analysis of attachments did not help you identify the culprit, there is one last avenue to explore: retrieving phishing detections from SpamAssassin (an antispam engine executed by Amavis).

The following command allows you to identify messages flagged as suspected phishing by SpamAssassin:

However, this command only provides limited information: the sender, the recipient, and the detection rules that were triggered. To obtain more details on the complete analysis, you must retrieve the Amavis session ID associated with the message (here 765283-08), then execute the following command:

This second command provides access to additional information generated during the analysis of the message by Amavis.

However, SpamAssassin results should be interpreted with caution, as its detection rules can generate a significant number of false positives.

Exploiting a vulnerability on the Zimbra web server

Your experience as a forensic investigator has taught you: this is neither the first nor the last time that an application vulnerability allows an attacker to hijack user sessions. Zimbra is no exception, and its web server, which provides access to mailboxes, could very well be vulnerable to this type of attack.

Compromise of the Zimbra web server could, in theory, allow an attacker to capture credentials of users logging in. “But how can we check if Zimbra has been subjected to web intrusion attempts?” you might ask.

A first step is to inspect the proxy (nginx) logs to identify malicious or suspicious HTTP requests targeting the web interface:

Among the indicators to look for in the logs are:

• Unusual POST or PUT requests or requests to unexpected endpoints
• Injection attempts (SQLi, LFI, RCE payloads visible in URIs or parameters)
• Repeated access to non-public resources or atypical scripts
• Strange User-Agents or a high concentration of requests from the same IP
• Numerous 4xx/5xx errors on sensitive paths (indicative of scanning/enumeration)
• Signs of file uploads (attempts to access /tmp, /uploads, etc.) or hits on known web shells

If you observe malicious requests that succeeded (for example, with an HTTP 200 code), it is recommended to conduct a more in-depth investigation on the server to determine whether the exploitation was actually successful.

Compromise of the user’s workstation

If none of the previous scenarios seem to match what you are observing and the initial point of entry remains unidentified, it is possible that the attacker obtained access credentials directly from the user’s workstation.

This type of compromise can occur, for example:

• As a result of a previous phishing campaign
• Because the user executed a malicious program on their machine (cracks, software downloaded from a dubious site, connecting an infected USB drive, etc.)

Once able to execute code on the workstation, the attacker can easily extract credentials stored in the browser, retrieve session cookies, or even install a keylogger to capture keystrokes.

Detecting this type of compromise goes beyond the scope of this article. But keep this possibility in mind: if no intrusion traces appear in Zimbra, the problem may lie elsewhere .

Yes! The investigation is far from over! This first part has allowed you to master Zimbra’s architecture, understand the different sources of evidence, and observe that through Zimbra logs it is possible to identify several compromise techniques. However, the initial access is only the starting point of our research. In a second part, we will continue the post–initial-access analysis. First, we will try to identify the malicious actions carried out by the attacker after compromising an account. Second, we will review the various remediation measures to implement. Stay tuned, a follow-up article will be published soon to delve deeper into these next steps!

Sources

• https://wiki.zimbra.com/wiki/Log_Files
• https://wiki.zimbra.com/wiki/Troubleshooting_Course_Content_Rough_Drafts-Zimbra_Architecture_Component_Overview
• https://wiki.zimbra.com/wiki/Trouble_Shooting_Spam_Score_Changes

Cet article Zimbra Mailbox Compromise: From Analysis to Remediation (Part 1) est apparu en premier sur RiskInsight.