This detection rule identifies SMTP traffic originating from internal hosts within an organizational network directed towards external internet destinations. It highlights potential misuse of the Simple Mail Transfer Protocol (SMTP) by malicious actors who exploit this protocol for command and control operations or data exfiltration purposes. The rule utilizes a query that focuses on TCP traffic, specifically targeting well-known SMTP ports (25, 465, 587) and relevant event categories, while excluding private and reserved IP address ranges to minimize false positive rates. The rule considers various internal IP ranges and avoids detection for legitimate NATed servers that process email. Furthermore, it includes specific MITRE ATT&CK tactics and techniques linked to both command and control and data exfiltration, emphasizing its relevance in identifying possibly malicious activities within corporate environments. This rule is categorized as low severity, with a risk score of 21, and is marked as deprecated since April 15, 2021.