This detection rule identifies the use of the PowerShell cmdlet `New-MailboxExportRequest`, which is utilized to export the contents of an Exchange mailbox to a .pst file. Adversaries may exploit this functionality to exfiltrate sensitive information for malicious purposes. The rule applies to logs collected from the Windows operating system, specifically through PowerShell activities. The provided analysis indicates that while legitimate system administrators may use this cmdlet for regular maintenance tasks, its invocation by unauthorized users can signify an attempt to collect sensitive data from user mailboxes. Analysts are urged to investigate the context surrounding the cmdlet usage to confirm whether the activity was sanctioned by verifying user permissions and the presence of approvals per organizational policy. The rule includes specific investigation steps and response actions that should be undertaken when a match is found, underlining the potential risks associated with unauthorized mailbox exports.