'ProxyToken' bug allowed attackers to reconfigure Exchange mailboxes

Researchers have published technical details on a low-complexity attack against Microsoft's Exchange Server, which exploits a vulnerability that allows unauthenticated threat actors to - for example - copy all emails sent to a particular user's mailbox, and forward them to another account.

The flaw, dubbed ProxyToken, was found by Le Xuan Tuyen, at the Vietnam Post and Telecommunications Group's Information Security Centre.

Exchange Server sets up two Internet Information Server instances, with one proxying for the internally facing back end.

A flaw in the Exchange Server default configuration meant the front end IIS instance passed on incoming requests to the back end, where delegated authentication was expected to take place, but didn't.

"The net result is that requests can sail through, without being subjected to authentication on either the front or back end," Trend Micro's Zero Day Initiative wrote.

Attackers could use the ProxyToken authentication bug to forward a user's messages, and make other configuration changes to mailboxes.

ZDI expects further Exchange bugs to see the light. 

"Exchange Server continues to be an amazingly fertile area for vulnerability research," the security researchers said.

Earlier this year, Huntress Lab said it was tracking an exploited vulnerability chain, ProxyShell, which could be used to run arbitrary commands on Microsoft Exchange Servers without authentication, to install malware such as webshells.

Microsoft has acknowledged the bug, which affects Exchange Server 2013, 2016 and 2019, and issued patches for the vulnerability in July this year.