alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible SMTP Data Exfiltration - File Attachment Named Files.zip"; flow:established,to_server; content:"Content-Type|3a 20|application/x-zip-compressed|3b 0d 0a|"; content:"name|3d 22|Files.zip|22 0d 0a|"; distance:0; fast_pattern; content:"Content-Transfer-Encoding|3a 20|base64|0d 0a|"; distance:0; content:"Content-Disposition|3a 20|attachment|3b 0d 0a|"; distance:0; content:"filename|3d 22|Files.zip|22 0d 0a 0d 0a|"; distance:0; reference:md5,1d9be2dfd54bf4a986c6cd1b7b630750; classtype:bad-unknown; sid:2044136; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2023_02_06, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_06;)