I do think that we should believe that if there is exploit code it IS being used or trying to be used by badguys.

I have successfully used the SMBrelay exploit in metasploit on several internal pentests and it works great combined with a little phish action. great for catching people browsing the web or email as admins or who have added their domain account to the local administrators group on their system.

The metasploit module is messy and leaves a big indicator it was ran (but there are patches to make it less noticeable). Again not to believe in voodoo but just because anyone hasn’t been able to directly attribute that exploitation vector to an incident i wouldn’t be so quick to dismiss it. For the counter argument, it is an internal attack, to use it you already have a foothold, its probably much easier to just run a local on the box and get the privileges you need rather than setting up everything with smbrelay type exploits.