Detects unauthorized webmail access attempts based on the External Mail Service pattern group.
| matchsig field=domain guid="17e9daca-0d1e-4c5e-9636-13992199a411" verify=f
| eval result = strjoin("\n", foreach(valueof(_1, "rule"), _matchsig_result)) | fields - _matchsig_result
