This detection rule identifies the removal of an exported mailbox from an Exchange server, which may indicate an attempt to cover tracks following a ProxyShell exploit. The rule monitors for specific keywords associated with the PowerShell command 'Remove-MailboxExportRequest', particularly when it is run with the flags '-Identity' and '-Confirm "False"'. These flags suggest that the user is intentionally bypassing confirmation prompts, indicating potential malicious intent. Additionally, the detection focuses on events sourced from 'msexchange-management', which is pertinent for monitoring administrative actions on Exchange servers. The presence of this behavior, especially in the context of an environment recently targeted by ProxyShell vulnerabilities, warrants heightened attention due to its association with intent to obfuscate malicious actions.