This analytic specifically targets the exploitation of known vulnerabilities in Microsoft Exchange Server, particularly focusing on ProxyShell and ProxyNotShell. The detection logic includes monitoring for suspicious POST requests aimed at the /autodiscover/autodiscover.json endpoint, which is often used for initial reconnaissance in SSRF (Server-Side Request Forgery) attacks. The rule checks for the presence of specific query parameters that could indicate an attempted exploitation, such as X-Rps-CAT, along with identifying MAPI requests that may be used to glean sensitive information like user SIDs. Additionally, it highlights the use of suspicious user agent strings commonly related to automated exploit tools. A scoring mechanism is implemented where multiple findings contribute to an aggregate score, triggering alerts if the score meets or exceeds the defined threshold. The ultimate goal of this analytic is to provide visibility into possible SSRF attacks that can lead to severe outcomes such as remote code execution and unauthorized access to Exchange environments.