This detection rule focuses on monitoring the Set-CASMailbox command, which is utilized to modify client access settings for Exchange mailboxes in Office 365. The rule identifies instances where an attacker may configure their own devices as trusted for ActiveSync, thereby gaining unauthorized access to resources. The associated threat actor, APT29 (also known as Nobelium or Cozy Bear), suggests the rule is aimed at detecting sophisticated threats targeting Exchange Online. The detection logic is implemented in Splunk and involves querying cloud data related to Office 365 to capture detailed information about mailbox configurations and the user actions surrounding them. The rule monitors various parameters such as user accounts, source IP addresses, and request parameters to detect anomalies in mailbox access modifications that may indicate malicious activity.