| Confirmed compromise | OWA telemetry or mailbox audit evidence shows crafted-email interaction and follow-on mailbox/session activity while M2 is absent, blocked, or failed. | Exchange version, OWA logs, EEMS state, mailbox audit rows, timestamp, and user identity. | Preserve HttpProxy OWA logs, EEMS logs, mailbox audit logs, and suspect messages. | M2 is applied and downstream OWA/mailbox audit has no unexplained access or permission changes. |
| Presumed exposed | Exchange 2016, 2019, or Subscription Edition with OWA exposure has EEMS disabled, disconnected, blocked, or missing M2. | Get-ExchangeServer, MSExchangeMitigation service state, and mitigation script output. | Keep the server in scope until EEMS M2 is verified. | EEMS is running, connectivity succeeds, and M2 is present and not blocked. |
| Potentially exposed | Exchange server exists but OWA exposure, EEMS state, or mitigation output is missing. | Exchange Management Shell, CMDB, scanner, or proxy evidence naming Exchange/OWA. | Collect Exchange and EEMS outputs. | Server resolves to confirmed compromise, presumed exposed, not exposed, or unknown. |
| Not exposed | No affected Exchange server or OWA surface is present, or M2 is verified on the server. | Negative asset evidence or mitigation verification output. | None for this CVE. | Evidence is attached to the server record. |
| Unknown | Exchange shell, EEMS logs, or OWA logs are unavailable. | Gap statement naming unavailable sources. | Keep internet-facing Exchange OWA servers in scope. | Evidence is recovered or the risk owner accepts the named gap. |