This detection rule identifies the use of the PowerShell cmdlet `Set-CASMailbox` to add a device ID to the `ActiveSyncAllowedDeviceIDs` list, which may indicate an attempt by adversaries to gain persistent access to user email accounts. The rule is designed to monitor for suspicious PowerShell activities and flags instances where the specified command patterns are detected. The context surrounding the use of this command is crucial as it can help distinguish legitimate administrative actions from potentially malicious activity. Windows environments utilizing Exchange services are particularly at risk, where unauthorized modifications to user device permissions could lead to significant data breaches. The rule utilizes EQL (Event Query Language) to query logs from multiple sources including Windows Sysmon, Microsoft Defender, and various endpoint logs, providing comprehensive coverage of potential exploitation avenues. Investigative procedures are outlined, emphasizing the importance of correlating findings with other security logs and being mindful of false positives from legitimate administrative activities. Corrective actions and ongoing monitoring are advised following any incident detected by this rule.