This detection rule identifies the usage of the Exchange PowerShell cmdlet 'New-MailBoxExportRequest' for exporting content from email mailboxes or archives to .pst files. Adversaries may use this functionality to collect sensitive email data effectively, as these mailboxes often contain valuable information like login credentials and proprietary data. The cmdlet is specific to on-premises Exchange environments and allows for per-mailbox export operations. The rule leverages a comprehensive investigation process, including examining the process execution chain, user account validation, and monitoring for abnormal behavior associated with mailbox export requests. A significant volume of requests, especially those involving sensitive data like personally identifiable information, calls for immediate attention. False positives may occur during legitimate administrative activities, which can be mitigated through proper approval checks. The detailed response includes steps for incident response, user privilege reviews, and full malware scans to ensure security and compliance.