This detection rule identifies potential malicious use of SMTP traffic over TCP port 26, which is often employed by certain email transfer agents to avoid conflicts with the standard SMTP port 25. Notably, this port has also been exploited by the BadPatch malware for command and control (C2) communications with Windows systems. The query logs traffic on TCP port 26, flagging any associated SMTP activities to reveal potentially unauthorized access or use by threat actors. As port 26 is sometimes utilized by legitimate applications, steps to minimize false positives have been detailed, including exclusion criteria for known benign mail transfer agents. This rule contributes to network threat detection efforts by aiding investigators in the analysis of unusual email traffic patterns that might indicate an ongoing compromise.