This detection rule identifies potentially malicious activity involving the PowerShell Set-Mailbox cmdlet, specifically targeting the establishment of SMTP forwarding rules within Exchange environments. By detecting the invocation of the Set-Mailbox cmdlet with parameters related to email forwarding, this rule aims to uncover attempts at exfiltrating sensitive information by redirecting emails to unauthorized external addresses. The usage of Script Block Logging is a prerequisite to ensure that the cmdlet activity is adequately captured for analysis. Establishing a forwarding rule can be indicative of account compromise, especially if performed without legitimate business necessity, thereby classifying it as a security incident that requires further investigation. The rule is particularly useful for IT security teams tasked with monitoring Exchange Server logs and alerts, aiming to mitigate risks associated with data exfiltration through email channels. To ensure minimal false positives, the rule accounts for normal operational situations where this cmdlet might be used legitimately, albeit those cases still require a review.