This detection rule is designed to identify potential email exfiltration attempts using PowerShell on Windows systems. It focuses on monitoring process creation instances where the PowerShell executable is being executed with specific command-line arguments that suggest an exfiltration of email data. Notably, it looks for commands that add PowerShell snap-ins and retrieve email recipient information, including email addresses. When these patterns are detected, they trigger an alert, indicating a high severity risk of data exfiltration. The rule leverages documented behavior of known threats, particularly those related to ransomware operations, as outlined in Microsoft’s security blog. By implementing this rule, organizations can enhance their visibility into potential malicious activities targeting sensitive email data.