This analytic detects the execution of known MailSniper PowerShell functions by monitoring PowerShell script block logging (EventCode 4104). MailSniper is a tool employed by attackers to search for sensitive emails, especially from compromised Exchange servers. The detection rules utilize specific script block text patterns related to MailSniper, which includes functions such as Invoke-GlobalO365MailSearch and Invoke-PasswordSprayOWA. Malicious instances of these functions could result in unauthorized access to sensitive email data, credential theft, and further widespread compromise of the email infrastructure. Implementing this rule requires ingesting relevant PowerShell logs and configuring the system to monitor these activities effectively.