Hi @gman
Please also check if you see any other suspicious activity like ECP/OWA/OAB or evidence of the other CVE's being hit then collect the following data from the impacted server(s):
C:\inetpub\wwwroot\aspnet_client\ *.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\
%ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\Auth\
The log output from the Test-ProxyLogon Script
Detailed information refer to this Scan Exchange log files for indicators of compromise
Make sure you have upgraded your Exchange server to the latest CU version and have installed the security patch, this method is the only complete mitigation and has no impact to functionality.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.