alert dns any any -> any any (msg:"🐾 - 🔔 Potential DNS Exfiltration 🥷 - T1048"; dns_query; flow:to_server, stateless; threshold:type threshold, track by_src, count 10, seconds 30; content:"."; pcre:"/^(?=[a-zA-Z0-9+=]{15,})(?![a-zA-Z0-9+=-]*-)[a-zA-Z0-9+=]{15,}.[a-zA-Z0-9.]{1,}.[a-zA-Z]{2,7}$/"; content:!".googleapis.com"; endswith; content:!".azureedge.net"; endswith; content:!".office.com"; endswith; content:!".azure.com"; endswith; content:!".sentry.io"; endswith; reference:url,https://attack.mitre.org/techniques/T1048/; metadata:created_at 2025_05_31, updated_at 2025_09_25, signature_severity Major, attack_target Client_and_Server, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1048, mitre_technique_name Exfiltration_Over_Alternative_Protocol; sid:3321447; rev:8; classtype:trojan-activity;)