How can an attacker combine deserialization with virtual files in an Exchange environment to gain persistent access?

An attacker with file write permissions can modify Exchange's `web.config` files (e.g., in `owa` or `ecp` directories) to set a known `machineKey` and `validationKey`. They then use a tool like `ysoserial.net` to generate a malicious `ViewState` payload targeting a vulnerable page (e.g., `errorFE.aspx`). When the `ViewState` is posted, it triggers .NET deserialization that registers a custom `VirtualPathProvider` and creates a virtual webshell—all without writing any new files to disk. The webshell can then be accessed via a unique virtual path like `/owa/auth/fakepath31337/` followed by an extension, as detailed in the original Penetration Techniques - Hiding ASP.NET Webshells Using Virtual Files article.