Over the last several months, I have noticed more scans for WebDAV PROPFIND showing up in my honeypot. This is likely an attempt to exploit and launch calc.exe on the server to test if the web extension exist and can be exploited. The scans have a very basic and non-standard header:
Article Link: https://isc.sans.edu/diary/rss/24600