Most people aren't aware but IPS will also detect and block outbound connects from infected machines using network protection technology so it's possible there's something nasty hiding that only shows itself very periodically.
Note this technology doesn't rely on a list of blacklisted, known bad hosts as that is not reliable. C&C's have too many tricks to hide and will pop up for an hour and then go dormant for weeks only to come back up with a different IP, country, etc.
Lists don't work very well. It's like relying on URL filtering for your web security, impossible to build and maintain an accurate list, just too much flux out there. To be at all reliable which is a prereq to protection, you need to look at the payload which is one of the things IPS does in this scenario.
I'd recommend opening a case to have the alert looked at just to be safe given those log details, unless there's a good reason why your mail servers should be reaching out to a host in Brazil.