Released: November 2022 Exchange Server Security Updates

MarcelWie As of right now, it seems like the Defender detection will fire if your server gets scanned for a particular vulnerability even if you have the November CU installed (and therefore server is not vulnerable anymore). This scanning could happen by either some sort of internally run security software that looks for vulnerabilities or possibly it is an externally initiated scan. But the bottom line is - it does not indicate compromise, rather the scan for vulnerability. Defender team is looking at how to address this. As you can see here, this particular detection is associated with "Initial access". The mitigation was blocking that traffic before so that's why it was not getting detected.