No doubt that patching is part of our priority list. But patching isn't sufficient in some cases, such as the ProxyLogon case.
Microsoft claims that 92% of Exchange servers have applied the mitigations against the critical flaw. However, it is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.
Here're the 2 tools to help detect the IOC and you can cross check with your SIEM.
Links:
- https://www.zdnet.com/article/microsoft-92-of-vulnerable-exchange-servers-are-now-patched-mitigated/