alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING OUTBOUND Suspicious Email Attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)