In this white paper, we present the analysis of LightNeuron, a backdoor specifically designed to target Microsoft Exchange mail servers.

Key points in this white paper:
* Turla is believed to have used LightNeuron since at least 2014.
* LightNeuron is the first publicly known malware to use a malicious Microsoft Exchange Transport Agent.
* LightNeuron can spy on all emails going through the compromised mail server.
* LightNeuron can modify or block any email going through the compromised mail server.
* LightNeuron can execute commands sent by email.
* Commands are hidden in specially crafted PDF or JPG attachments using steganography.
* LightNeuron is hard to detect at the network level because it does not use standard HTTP(S) communications.
* LightNeuron was used in recent attacks against diplomatic organizations in Eastern Europe and the Middle East.