just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.
step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util
step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
Detection time: 2022-06-12T19:42:14.905Z
User: NT AUTHORITY\SYSTEM
Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
Inheritance Flags: 0x00000000
Security intelligence Version: 1.367.1460.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5