How does the ExpiredPassword.aspx webshell in HyperShell evade detection?

The ExpiredPassword.aspx webshell is disguised as a legitimate Exchange password reset page at `/owa/auth/ExpiredPassword.aspx`. It executes commands with System privileges by passing them through the `newPwd2` form parameter, hashed with a secret salt `reDGEa@#!%FS`. This makes it highly concealed, as the malicious functionality blends into normal Exchange traffic, a technique analyzed in Analysis of APT34 Leaked Tools - HighShell and HyperShell.