+xHello
@mjohnsonn,
We are looking into this issue now, Are there any steps you could provide to help us replicate this issue?
just to add have also seen these logged events when ASR rule to block credential stealing is enabled. but I dont really care as reflect still works.
step1 - enable the blocking of credential stealing in micorosft defender ASR rules using powershell/reg or 3rd party util

step 2 check logs
e.g Event 46 ID: 1121 - 6/12/2022 8:42:14 PM
Message: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2022-06-12T19:42:14.905Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.367.1460.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5