This detection rule identifies the unauthorized use of Exchange PowerShell snap-ins that can occur during cyber attacks, specifically referencing tactics employed by the HAFNIUM and APT27 threat groups. It targets process creation activities on Windows systems, looking for the invocation of PowerShell and the specific use of commands that signify the addition of Microsoft Exchange snap-ins. The rule combines multiple selection criteria to capture these relevant actions while filtering out noise, such as installations initiated by the 'msiexec' process that may be legitimate. By alerting on such suspicious behaviors, this rule aims to mitigate the risk of unauthorized data extraction and exploitation involving Exchange servers.