Connect with us

Hi, what are you looking for?


Email Security

‘ProxyToken’ Exchange Server Vulnerability Leads to Email Compromise

A vulnerability that Microsoft patched in Exchange Server earlier this year can allow attackers to set forwarding rules on target accounts and gain access to incoming emails.

A vulnerability that Microsoft patched in Exchange Server earlier this year can allow attackers to set forwarding rules on target accounts and gain access to incoming emails.

Tracked as CVE-2021-33766 and referred to as ProxyToken, the vulnerability has a severity rating of medium (CVSS score of 6.5). The security hole was identified by Le Xuan Tuyen of VNPT ISC, working with Trend Micro’s Zero Day Initiative (ZDI).

The security bug is related to the authentication of requests to services within the ecp web application and can be exploited using crafted requests to bypass authentication.

“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker,” ZDI’s Simon Zuckerbraun explains.

The issue exists because none of the sites that Exchange creates in IIS (one functioning as a front-end and the other as a back-end) authenticates specific requests when the Delegated Authentication feature is not enabled and a non-empty cookie named SecurityToken is employed.

“In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature,” Zuckerbraun notes.

He also explains that unauthenticated requests may be issued as well, because if requests to a /ecp page don’t include an “ECP canary” ticket, an HTTP 500 response is returned, and a valid canary is included in the response.

Advertisement. Scroll to continue reading.

An attacker with an account on the same Exchange server as the victim may exploit the vulnerability to set a forwarding rule that would allow them to read all the victim’s incoming mail. Provided that the Exchange administrator has set a global configuration value to allow the use of forwarding rules to arbitrary Internet destinations, no Exchange credentials are needed for the exploit.

“Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” Zuckerbraun says.

Microsoft informed users about the availability of patches for Exchange Server 2013, 2016 and 2019 with an advisory issued in July, but the actual fixes were released in April.

“This is an interesting security vulnerability, but because this requires an existing active account on Microsoft Exchange to begin with…this is not a huge external threat. It can be used as part of a chained exploit where the attacker has already gained access, and it can be used for spear phishing, eavesdropping and even escalation of privilege attacks…so it is not nothing. Anyone can think up some malicious attacks using it, if the initial access is already gained,” Roger Grimes, data driven defense evangelist at KnowBe4, said in an emailed comment.

Related: CISA, Microsoft Issue Guidance on Recent Azure Cosmos DB Vulnerability

Related: Misconfigured Microsoft Power Apps Portals Exposed Millions of Records

Related: CISA Warns Organizations of ProxyShell Attacks on Exchange Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.