This detection rule focuses on identifying anomalous usage of Exchange Management Cmdlets that could indicate malicious activity, particularly related to the ProxyShell and ProxyNotShell vulnerabilities. It specifically targets commands that manage mailboxes and roles, such as `New-MailboxExportRequest` and `New-ManagementRoleAssignment`. By leveraging specific Event Codes (like EventCode 1) and message patterns, the rule aims to flag potential unauthorized access attempts or manipulation of critical Exchange components. Such activities can lead to data breaches or privilege escalation and should be monitored closely. The implementation involves collecting relevant logs from Exchange Management and monitoring the related cmdlets for unusual patterns. Administrators executing these commands as part of routine management practices may result in false positives that require additional filtering.