This detection rule monitors for unauthorized modifications to Exchange mailbox access settings through the use of the `Set-CASMailbox` PowerShell cmdlet. Given that an attacker can configure a mailbox to allow their own devices for services like Exchange ActiveSync, Outlook, POP3, and IMAP4, this rule aims to detect such changes as potential signs of compromise. The rule leverages event codes 4103 (Windows PowerShell script block logging) and 4104 (Windows PowerShell command invocation) to identify when the `Set-CASMailbox` cmdlet is executed. Proper logging of PowerShell commands is critical for maintaining security, as it can reveal unauthorized attempts by threat actors, such as APT29/Nobelium/Cozy Bear, to manipulate user access settings. The rule captures relevant metadata, including the event timestamp, host, user, signature ID, and process details, facilitating in-depth investigation of suspicious activities related to Exchange configurations.