This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03. Check for 8 character aspx files in C:\\inetpub\wwwroot\aspnet_client\system_web\. If you get a hit on that search, you’re now in incident response mode.
https://nitter.net/JakeSullivan46/status/1367660450855477256
(Nitter addon enabled: Twitter links via https://nitter.net)
