Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1078-valid-accounts

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Exchange PowerShell commands that export mailbox contents to file shares for potential data exfiltration.

Strategy

This rule monitors PowerShell script block logging through @Event.EventData.Data.ScriptBlockText for Exchange management commands using New-MailboxExportRequest with both -Mailbox and -FilePath parameters. The cmdlet exports mailbox contents to PST files at specified network locations.

While this functionality serves legitimate administrative purposes, it represents a high-risk activity that allows attackers with Exchange management privileges to collect email data en masse for exfiltration. The exported PST files contain complete mailbox contents that can be easily transferred outside the organization.

Triage & Response

• Examine the full PowerShell command on {{host}} to identify targeted mailboxes and export destinations.
• Verify authorization status and business justification for the export operation.
• Evaluate the legitimacy of the destination path for exported PST files.
• Check file sizes and contents of exported mailbox data.
• Monitor for subsequent file transfer or archiving activities.
• Track additional access to mailboxes by the same user account.
• Review Exchange audit logs for additional suspicious activities.