An endpoint is emailing an
excessive amount of data from your network, and the endpoint performing
the transfer is not an internal SMTP server. The amount of data
contained in the email exceeds a predetermined limit.
Transfer data they have
stolen from your network to a location that is convenient and useful
the process/user performing the data transfer to determine if the
transfer is sanctioned.