This detection rule identifies potential exfiltration activities within Microsoft Exchange environments by monitoring for the usage of the PowerShell cmdlet `New-MailboxExportRequest`. This cmdlet is leveraged by attackers exploiting vulnerabilities such as ProxyShell to export mailboxes to local or remote file shares, which could indicate unauthorized data access or data theft. The rule focuses specifically on the creation of process commands that include the terms `New-MailboxExportRequest`, `-Mailbox`, and a specified file path. It aims to detect instances where an unexpected or unauthorized output of mailbox data is initiated, highlighting possible compromise of the Exchange server. False positives may occur due to legitimate administrative tasks performed by system administrators, making it crucial to cross-verify the context and the user accounts involved in the process creation. The rule is critical in nature to ensure timely detection of potential exfiltration attempts via well-known PowerShell commands used in actual exploits.