Security News > 2022 > July > Microsoft: IIS extensions increasingly used as Exchange backdoors
Microsoft says attackers increasingly use malicious Internet Information Services web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells.
"In most cases, the actual backdoor logic is minimal and cannot be considered malicious without a broader understanding of how legitimate IIS extensions work, which also makes it difficult to determine the source of infection," the Microsoft 365 Defender Research Team said Tuesday.
Microsoft previously saw custom IIS backdoors installed after threat actors exploited ZOHO ManageEngine ADSelfService Plus and SolarWinds Orion vulnerabilities.
More recently, in a campaign between January and May 2022 that targeted Microsoft Exchange servers, attackers deployed malicious IIS extensions to gain access to victims' email mailboxes, run commands remotely, and steal credentials and confidential data.
Kaspersky has also recently spotted malware delivered as IIS extensions onto Microsoft Exchange servers to execute commands and steal credentials remotely.
To defend against attacks using malicious IIS modules, Microsoft advises customers to keep their Exchange servers up to date, keep anti-malware and security solutions enabled, review sensitive roles and groups, restrict access to IIS virtual directories, prioritize alerts, and inspect config files and bin folders.