The Exchange PowerShell Module Usage analytic detects potentially unauthorized use of specific Exchange PowerShell commands often targeted by adversaries exploiting vulnerabilities like ProxyShell or ProxyNotShell. Key commands monitored include New-MailboxExportRequest, New-ManagementRoleAssignment, New-MailboxSearch, and Get-Recipient. The detection utilizes PowerShell Script Block Logging (EventCode 4104) to identify when these commands are executed. Given that these modules can facilitate malicious actions such as mailbox exports and unauthorized searches, the analytic serves as a critical layer in identifying suspicious activities that could lead to data breaches or privilege escalation. Understanding the context of these command executions is vital in preventing potential data exfiltration and ensuring that access to sensitive information remains secure.