This detection rule focuses on identifying potentially suspicious use of PowerShell's New-MailboxExportRequest Cmdlet, which is commonly exploited in ProxyShell attacks. The rule captures instances where a mailbox is exported to either a remote or local share, which can denote an unauthorized data exfiltration attempt. Such actions, especially when originating from compromised accounts, can lead to serious breaches of sensitive information within Microsoft Exchange servers. The rule mandates that Script Block Logging is enabled on the targeted system, allowing for the inspection of PowerShell scripts executed. Key indicators of the attack include specific command phrases associated with mailbox export requests, prompting further investigation if detected. The rule is categorized with a critical threat level, underscoring its importance in the security monitoring framework. Analysts should refer to the related materials for deeper insights into ProxyShell vulnerabilities and exploitation methods.