diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
index 3bfc3b746..17877777c 100644
--- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
+++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
@@ -6,7 +6,7 @@ references:
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
 date: 2021/08/09
-modified: 2022/10/26
+modified: 2023/02/28
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -18,13 +18,13 @@ detection:
         - 'New-MailboxExportRequest'
         - ' -Mailbox '
     export_params:
-        - '-FilePath "\\\\' # We care about any share location
+        - '-FilePath "\\\\' # We care about any share location.
         - '.aspx'
     role_assignment:
         - 'New-ManagementRoleAssignment'
         - ' -Role "Mailbox Import Export"'
         - ' -User '
-    condition: all of export_* or role_assignment
+    condition: (all of export_command and export_params) or all of role_assignment
 falsepositives:
     - Unlikely
 level: critical