Vulnerable servers are hot targets for a wide spectrum of threat actor groups looking for an initial foothold into a network for espionage or financial purposes. Nation-state adversaries, ransomware gangs, and cryptomining activities have already exploited ProxyLogon. The bug has been exploited in the wild even before Microsoft received the vulnerability report, giving attackers a two-month head start to breach targets before security updates became available. With patches released and proof-of-concept exploit code surfacing online, thousands of Microsoft Exchange servers worldwide continue to remain vulnerable.
Source: https://www.bleepingcomputer.com/news/security/the-microsoft-exchange-hacks-how-they-started-and-where-we-are/