{"id":92066,"date":"2021-12-22T10:49:23","date_gmt":"2021-12-22T10:49:23","guid":{"rendered":"https:\/\/www.stellarinfo.com\/blog\/?p=92066"},"modified":"2024-08-21T04:13:14","modified_gmt":"2024-08-21T04:13:14","slug":"hackers-steal-exchange-server-credentials-owowa-malware","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/","title":{"rendered":"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module"},"content":{"rendered":"<?xml encoding=\"utf-8\" ?><?xml encoding=\"utf-8\" ?><p>Security researchers at Kaspersky have discovered a new malicious IIS module called Owowa that harvests user credentials when they login to Outlook Web Access (OWA). The stealthy malware lingers on the IIS server to steal credentials when the user authentication request is made via OWA.<\/p><p>Researchers at Kaspersky have identified clusters of Microsoft Exchange Servers targeted by the malware in Asia&mdash;mainly in Malaysia, Indonesia, the Philippines, and Mongolia. Most of these servers belong to government organizations.<\/p><p>Besides harvesting user credentials, the malware allows hackers to control the server and run malicious commands remotely.<\/p><h2 class=\"wp-block-heading\" id=\"how-attackers-are-using-owowa-malware-to-steal-credentials?\">How Attackers are Using Owowa Malware to Steal Credentials?<\/h2><p><strong>Internet Information Services<\/strong> or <strong>IIS<\/strong> is a flexible Microsoft web server suite used to serve files and HTML pages. One can extend the IIS functionalities or add features by installing various add-ons called modules&mdash;similar to plugins in WordPress or add-ins in Outlook. &nbsp;<\/p><p>Hackers are taking advantage of this and side loading the malicious <strong>Owowa<\/strong> module into the IIS server that infects the Exchange Server and exposes the OWA functions.<\/p><p>According to Kaspersky, the attack begins with compromising the unpatched Exchange Server by exploiting the ProxyLogon or ProxyShell vulnerabilities&mdash;already patched by Microsoft in March, April, and May 2021.<\/p><p>Attackers then sideload the Owowa module into the IIS web server, which exposes the Outlook Web Access (OWA). As per Kaspersky, the malicious module is first registered in the global assembly cache and loaded by the IIS server running the OWA application.<\/p><p>Once installed, a malicious actor can interact with the loaded Owowa module by executing specifically crafted commands&mdash;mentioned below&mdash;within the OWA&rsquo;s <em>Username<\/em> and <em>Password<\/em> fields on the authentication page of the compromised Exchange Server.<\/p><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"779\" src=\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app.png\" alt=\"outlook web app\" class=\"wp-image-92071 apply-gradient-on-post-images\" srcset=\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app.png 798w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app-300x293.png 300w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app-768x750.png 768w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app-380x371.png 380w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/outlook-web-app-550x537.png 550w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/figure><p>According to Kaspersky,<\/p><ul class=\"wp-block-list\"><li>If the OWA username is jFuLIXpzRdateYHoVwMlfc, Owowa will return the encrypted credentials log, encoded in base64.<\/li><li>If the OWA username is Fb8v91c6tHiKsWzrulCeqO, the malicious module deletes the content of the encrypted credentials log, and returns the OK string (encrypted using RSA).<\/li><li>If the OWA username is dEUM3jZXaDiob8BrqSy2PQO1, Owowa executes the command that is typed in the OWA password field using PowerShell on the compromised server.<\/li><\/ul><p>The Owowa responds to these commands via the IIS web server and returns the credentials, timestamp, and users&rsquo; IP address to the threat actor in a file encrypted with the RSA algorithm. The user does not notice any error or anything suspicious.<\/p><h2 class=\"wp-block-heading\" id=\"how-to-detect-and-get-rid-of-owowa-malware?\">How to Detect and Get Rid of Owowa Malware?<\/h2><p>The malicious IIS Module&mdash;Owowa&mdash;stays persistent even after an Exchange software update, making it an effective tool for attackers. Moreover, it is a much stealthier alternative to phishing emails as it passively steals the user credentials from users accessing the web services.<\/p><p>To detect and identify if your Exchange server is compromised by the Owowa malware, administrators can run the <strong>appcmd.exe<\/strong> or <strong>IIS configuration<\/strong> tool to retrieve the list of loaded modules on the IIS Server.<\/p><p>The malicious Owowa module uses the &lsquo;<strong>ExtenderControlDesigner<\/strong>&rsquo; name.<\/p><figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"209\" src=\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/remove-ExtenderControlDesigner-Owowa-malware-exchange.png\" alt=\"remove ExtenderControlDesigner Owowa malware exchange\" class=\"wp-image-92072 apply-gradient-on-post-images\" srcset=\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/remove-ExtenderControlDesigner-Owowa-malware-exchange.png 675w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/remove-ExtenderControlDesigner-Owowa-malware-exchange-300x93.png 300w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/remove-ExtenderControlDesigner-Owowa-malware-exchange-380x118.png 380w, https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/remove-ExtenderControlDesigner-Owowa-malware-exchange-550x170.png 550w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/figure><p><strong>Source: <\/strong>Kaspersky<\/p><p>Remove the IIS module and patch your server immediately by installing the latest Cumulative and Security Updates released by Microsoft for your Exchange Server version. <\/p><p>To learn more, refer to our guide on <a href=\"https:\/\/www.stellarinfo.com\/article\/install-exchange-cumulative-updates.php\" target=\"_blank\" rel=\"noreferrer noopener\">installing Exchange Server Cumulative and Security updates<\/a>.<\/p><h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2><p>Owowa malware reminds the risks of not installing the Microsoft Exchange Server Security and Cumulative Updates to patch the vulnerabilities. It also highlights the need to check IIS Server modules regularly to check on malicious activities and ensure endpoint security shields are enabled.<\/p><p>In this blog, we have discussed the <strong>Owowa<\/strong> malware, its working, and steps to get rid of it. However, it is recommended to set up a new Exchange Server and move mailboxes from your compromised Exchange Server. There can be hidden backdoors or web shells installed by the attacker that can be used to compromise your server or network later.<\/p><p>However, if the server or database is damaged due to a malicious attack, you can use Exchange recovery software, such as <a href=\"https:\/\/www.stellarinfo.com\/edb-exchange-server-recovery.htm\" target=\"_blank\" rel=\"noreferrer noopener\">Stellar Repair for Exchange<\/a>, to extract mailboxes from corrupt databases and export them directly to your new Exchange server.<\/p><p>This tool can help you minimize downtime and save you from the huge manual efforts required in recovering and restoring mailboxes. If you need more help, leave a comment or reach us via the Self Help and Support page.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security researchers at Kaspersky have discovered a new malicious IIS module called&hellip; <a class=\"more-link\" href=\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\">Continue reading <span class=\"screen-reader-text\">Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module<\/span><\/a><\/p>\n","protected":false},"author":32,"featured_media":92137,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5298],"tags":[],"class_list":["post-92066","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","entry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New Owowa Malware is Stealing Exchange Server Credentials<\/title>\n<meta name=\"description\" content=\"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here&#039;s what you need to know\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New Owowa Malware is Stealing Exchange Server Credentials\" \/>\n<meta property=\"og:description\" content=\"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here&#039;s what you need to know\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Stellar Data Recovery Blog\" \/>\n<meta property=\"article:author\" content=\"https:\/\/facebook.com\/raavisingh\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-22T10:49:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-08-21T04:13:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ravi Singh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/ravi51ngh\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ravi Singh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\"},\"author\":{\"name\":\"Ravi Singh\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11\"},\"headline\":\"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module\",\"datePublished\":\"2021-12-22T10:49:23+00:00\",\"dateModified\":\"2024-08-21T04:13:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\"},\"wordCount\":726,\"image\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg\",\"articleSection\":[\"Ransomware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\",\"url\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\",\"name\":\"New Owowa Malware is Stealing Exchange Server Credentials\",\"isPartOf\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg\",\"datePublished\":\"2021-12-22T10:49:23+00:00\",\"dateModified\":\"2024-08-21T04:13:14+00:00\",\"author\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11\"},\"description\":\"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here's what you need to know\",\"breadcrumb\":{\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage\",\"url\":\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg\",\"contentUrl\":\"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg\",\"width\":1000,\"height\":600,\"caption\":\"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.stellarinfo.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#website\",\"url\":\"https:\/\/www.stellarinfo.com\/blog\/\",\"name\":\"Stellar Data Recovery Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.stellarinfo.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11\",\"name\":\"Ravi Singh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/9e95cad83fe279b559794f62193f34300d01db8f9f2ec45ce529b7ecde3796ba?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/9e95cad83fe279b559794f62193f34300d01db8f9f2ec45ce529b7ecde3796ba?s=96&d=mm&r=g\",\"caption\":\"Ravi Singh\"},\"description\":\"Ravi Singh is a Senior Writer at Stellar\u00ae. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.\",\"sameAs\":[\"https:\/\/stellarinfo.com\/blog\",\"https:\/\/facebook.com\/raavisingh\",\"https:\/\/instagram.com\/ravi.s1ngh\",\"https:\/\/linkedin.com\/in\/ravi-singh-5a65356a\/\",\"https:\/\/x.com\/https:\/\/twitter.com\/ravi51ngh\",\"https:\/\/youtube.com\/ravisingh9\"],\"url\":\"https:\/\/www.stellarinfo.com\/blog\/author\/ravi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New Owowa Malware is Stealing Exchange Server Credentials","description":"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here's what you need to know","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/","og_locale":"en_US","og_type":"article","og_title":"New Owowa Malware is Stealing Exchange Server Credentials","og_description":"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here's what you need to know","og_url":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/","og_site_name":"Stellar Data Recovery Blog","article_author":"https:\/\/facebook.com\/raavisingh","article_published_time":"2021-12-22T10:49:23+00:00","article_modified_time":"2024-08-21T04:13:14+00:00","og_image":[{"width":1000,"height":600,"url":"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg","type":"image\/jpeg"}],"author":"Ravi Singh","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/ravi51ngh","twitter_misc":{"Written by":"Ravi Singh","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#article","isPartOf":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/"},"author":{"name":"Ravi Singh","@id":"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11"},"headline":"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module","datePublished":"2021-12-22T10:49:23+00:00","dateModified":"2024-08-21T04:13:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/"},"wordCount":726,"image":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg","articleSection":["Ransomware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/","url":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/","name":"New Owowa Malware is Stealing Exchange Server Credentials","isPartOf":{"@id":"https:\/\/www.stellarinfo.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg","datePublished":"2021-12-22T10:49:23+00:00","dateModified":"2024-08-21T04:13:14+00:00","author":{"@id":"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11"},"description":"New IIS Server malware module found stealing Exchange Server credentials by infecting the Outlook Web App (OWA). Here's what you need to know","breadcrumb":{"@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#primaryimage","url":"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg","contentUrl":"https:\/\/www.stellarinfo.com\/blog\/wp-content\/uploads\/2021\/12\/Hackers-Stealing-Exchange-Server-Credentials-Using-Malicious-IIS-Server-Module.jpg","width":1000,"height":600,"caption":"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module"},{"@type":"BreadcrumbList","@id":"https:\/\/www.stellarinfo.com\/blog\/hackers-steal-exchange-server-credentials-owowa-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stellarinfo.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hackers Stealing Exchange Server Credentials Using Malicious IIS Server Module"}]},{"@type":"WebSite","@id":"https:\/\/www.stellarinfo.com\/blog\/#website","url":"https:\/\/www.stellarinfo.com\/blog\/","name":"Stellar Data Recovery Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stellarinfo.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/7dea10d15c0307370e21d7da07d0cd11","name":"Ravi Singh","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.stellarinfo.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/9e95cad83fe279b559794f62193f34300d01db8f9f2ec45ce529b7ecde3796ba?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9e95cad83fe279b559794f62193f34300d01db8f9f2ec45ce529b7ecde3796ba?s=96&d=mm&r=g","caption":"Ravi Singh"},"description":"Ravi Singh is a Senior Writer at Stellar\u00ae. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 7 years of experience in technical writing. He writes about Microsoft Exchange, Microsoft 365, Email Migration, Linux, Windows, Mac, DIY Tech, and Smart Home. Ravi spends most of his weekends working with IoT (DIY Smart Home) devices and playing Overwatch. He is also a solo traveler who loves hiking and exploring new trails.","sameAs":["https:\/\/stellarinfo.com\/blog","https:\/\/facebook.com\/raavisingh","https:\/\/instagram.com\/ravi.s1ngh","https:\/\/linkedin.com\/in\/ravi-singh-5a65356a\/","https:\/\/x.com\/https:\/\/twitter.com\/ravi51ngh","https:\/\/youtube.com\/ravisingh9"],"url":"https:\/\/www.stellarinfo.com\/blog\/author\/ravi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/posts\/92066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/comments?post=92066"}],"version-history":[{"count":21,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/posts\/92066\/revisions"}],"predecessor-version":[{"id":172652,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/posts\/92066\/revisions\/172652"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/media\/92137"}],"wp:attachment":[{"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/media?parent=92066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/categories?post=92066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stellarinfo.com\/blog\/wp-json\/wp\/v2\/tags?post=92066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}