alert tcp-pkt any any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M3"; flow:stateless,to_server; flags:S; tcp.hdr; content:"|05 4e|"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; reference:url,www.mandiant.com/resources/blog/barracuda-esg-exploited-globally; classtype:command-and-control; sid:2046275; rev:2; metadata:affected_product Barracuda_ESG, attack_target SMTP_Server, created_at 2023_06_15, deployment Perimeter, deployment Internal, deprecation_reason False_Positive, malware_family SEASPY, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_06_21; target:dest_ip;)