This alert identifies internal hosts accessing unsanctioned SMTP servers. Internal hosts should only use the SMTP relay servers configured for internal use.
MITRE ATT&CK Tactics
Command and Control
Personal devices used in the corporate network
1. Block SMTP traffic to non-sanctioned mail gateways in perimeter firewall
2. Review the internal device which used SMTP traffic
3. Notify user and the improper traffic and ask to review corporate AUP policies