Patterns for NTA
Phishing is classified as Technique ID 1598 (T1598), and it contains three sub-techniques: Spearphishing Service, Spearphishing Attachment and Spearphishing Link.
The NIST phishing incident response playbook gives the context and purpose for which patterns will be re-useful for in NTA.
Narrow down a packet output using SMTP status codes:
Message for status code 220:
<domain> Service ready
mailbox name not allowed
Status code typically preceding a SMTP DATA command:
Standard smtp port: