This detection rule identifies reconnaissance activities utilizing common Exchange cmdlets in PowerShell, which are often employed by threat actors to gather information or propagate malware within an organization's network. The rule is associated with threat actors such as APT29 (Nobelium) and software like DatopLoader, indicating a high level of risk from sophisticated adversaries. It captures specific PowerShell commands that are indicative of account discovery and email account enumeration, including cmdlets like Get-AcceptedDomain, Get-Mailbox, and Get-OrganizationConfig, primarily captured from PowerShell event logs. By monitoring these events, security teams can effectively detect potential intrusions or attempts at lateral movement within their environment.