This detection rule focuses on identifying potential malicious activity in Microsoft Exchange environments where an adversary may modify the ExternalUrl property of the OabVirtualDirectory using a script. Specifically, the rule watches for logs related to the Exchange Management shell that indicate a command was issued with the keywords 'Set-OabVirtualDirectory', 'ExternalUrl', 'Page_Load', and 'script'. Each of these terms provides a strong indication that a change has been made that may not align with standard administrative practices, especially if it involves redirecting the Offline Address Book (OAB) to an untrusted or suspicious location. The rule captures commands executed in the context of administration of the Exchange environment which, if altered, could be used to facilitate further attacks or exfiltration of sensitive data.