Windows suspicious PowerShell mailbox export to share
Goal
Detects Exchange PowerShell commands that export mailbox contents to file shares for potential data exfiltration.
Strategy
This rule monitors PowerShell script block logging through @Event.EventData.Data.ScriptBlockText
for Exchange management commands using New-MailboxExportRequest
with both -Mailbox
and -FilePath
parameters. The cmdlet exports mailbox contents to PST files at specified network locations.
While this functionality serves legitimate administrative purposes, it represents a high-risk activity that allows attackers with Exchange management privileges to collect email data en masse for exfiltration. The exported PST files contain complete mailbox contents that can be easily transferred outside the organization.
Triage & Response
- Examine the full PowerShell command on
{{host}}
to identify targeted mailboxes and export destinations. - Verify authorization status and business justification for the export operation.
- Evaluate the legitimacy of the destination path for exported PST files.
- Check file sizes and contents of exported mailbox data.
- Monitor for subsequent file transfer or archiving activities.
- Track additional access to mailboxes by the same user account.
- Review Exchange audit logs for additional suspicious activities.