Microsoft warned against threat actors increasingly using malicious IIS web server extensions to backdoor unpatched Exchange servers. Between January and May, the attackers targeted several servers to access victims’ email mailboxes, steal credentials and sensitive data, and run commands. IIS modules are usually not used as backdoors as compared to general web application threats such as web shells.