I facing the same issues on Exchange 2016 CU20.
After I ran EOMT.ps1 and MSERT.exe, it found infected by backdoor,
MSIL/Chopper.F!dha
MSIL/AgenteslaPacker!MTB
ASP/WebShell.C!MTB
The results show already removed some suspicious files.
But it still coming back.
I patched it with (for CU20),
KB5003435 (CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209) and
KB5004779 (CVE-2021-31196, CVE-2021-31206)
So far, no more issues. (finger cross)