# imap\_scan\_external\_internal

**Explanation**

This NDM is designed to detect scanning for IMAP that is hitting the customer’s network from the Internet. IMAP is an internet standard protocol for email retrieval.

**What to Look For**

Scanning activity on the Internet is quite commonplace.

**Related MITRE ATT\&CK Categories**

[Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595)