More threat actors have been targeting vulnerable Exchange servers with Internet Information Services web server extensions instead of web shells to better evade detection, BleepingComputer reports. Malicious IIS extensions could serve as persistent backdoors as they share identical structures with legitimate modules while being very difficult to identify, according to a report from the Microsoft 365 Defender Research Team. "In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection," said Microsoft. Attackers have been identified to have launched a malicious IIS extension deployment campaign between January and May aimed at email mailbox infiltration and remote command execution, as well as credential and confidential data theft. "After a period of doing reconnaissance, dumping credentials, and establishing a remote access method, the attackers installed a custom IIS backdoor called FinanceSvcModel.dll in the folder C:inetpubwwwrootbin. The backdoor had built-in capability to perform Exchange management operations, such as enumerating installed mailbox accounts and exporting mailboxes for exfiltration," added Microsoft.