As of 3 October, Microsoft and other security companies have indicated that the exploitation of these vulnerabilities is still limited to targeted attacks. Also, according to investigators from Cybereason:

• The vulnerabilities have been identified due to known exploitation, but malicious actors exploiting these vulnerabilities have not be discovered by the team.
• As they are similar to ProxyShell and ProxyLogon, they have been dubbed ProxyNotShell.
• At the time of reporting, Microsoft has not yet provided any patch for the ProxyNotShell vulnerabilities, but has provided mitigations. Until the patch is provided, Microsoft has provided the following mitigation measure:
• Add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns.
• Use the tool released by Microsoft to mitigate CVE-2022-41040
• Cybereason rates this threat as HIGH, and recommends the following measures:
  • Search for anomalous .aspx files directories associated with the Microsoft Internet Information Services (IIS) component, in which adversaries often deploy web shells after exploiting ProxyNotShell. These include: Inetpub\wwwroot\aspnet_client, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\inetpub\wwwroot\aspnet_client\, \Program Files\Microsoft\Exchange Server\V*\FrontEnd\HttpProxy\owa\auth\, and subdirectories of \Users\All Users\
  • Look for these files using the following command: Get-ChildItem -Recurse -Path -Filter “*.log” | Select-String -Pattern ‘powershell.*autodiscover\.json.*\@.*200