This detection rule identifies suspicious outbound SMTP connections that may indicate data exfiltration attempts by adversaries. It is based on the premise that attackers can steal data by sending it over unencrypted network protocols, diverging from the primary command and control channel. The rule specifically focuses on outbound SMTP traffic targeting common ports such as 25, 587, 465, and 2525. To filter legitimate traffic, it excludes connections initiated by specific email client applications (like Thunderbird and Outlook) and known Microsoft Exchange server processes. The aim of this rule is to spot anomalous SMTP communications originating from systems that typically do not engage in such activities, potentially indicating an unauthorized attempt to exfiltrate sensitive information. This detection uses a combination of selection criteria and filters to reduce false positives, particularly from other legitimate SMTP tools. The deployment of this rule is crucial for environments where data protection is paramount, as it directly addresses the risk associated with data exfiltration via email channels.