The "ProxyShell ProxyNotShell Behavior Detected" correlation rule is designed to identify potential exploitation of Microsoft Exchange Servers via known vulnerabilities such as ProxyShell and ProxyNotShell. The analytic captures post-exploitation behaviors, including the execution of tools like nltest, Cobalt Strike, Mimikatz, and the creation of new user accounts. This rule integrates data from a minimum of five distinct sources to trigger, which significantly reduces false positives while ensuring that genuine threats are detected. The presence of these activities indicates a high probability of an active compromise, which can lead to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed as malicious activity, it may allow attackers to gain full control of the Exchange server, exfiltrate sensitive data, and maintain long-term access.