Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Exchange ProxyToken bug can let hackers steal user email

Microsoft Exchange ProxyToken bug can let hackers steal user email

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account.

An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and steal messages from a victim’s inbox.

Delegation confusion

Tracked as CVE-2021-33766, ProxyToken gives unauthenticated attackers access to the configuration options of user mailboxes, where they can define an email forwarding rule.

Also Read: The Top 4W’s of Ethical Hacking

As a result, email messages intended for a target user can also be delivered to an account that the attacker controls.

The bug was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC) and reported through the Zero-Day Initiative (ZDI) program in March.

He found that Microsoft Exchange’s frontend site (Outlook Web Access, Exchange Control Panel) functions largely as a proxy for the backend site (Exchange Back End), to which it passes authentication requests.

In Microsoft Exchange deployments where the “Delegated Authentication” feature is active, the frontend forwards the requests that need authentication to the backend, which identifies them by the presence of a ‘SecurityToken’ cookie.

'SecurityToken' cookie necessary to exploit ProxyToken vulnerability in Microsoft Exchange Server
source: ZDI

When there is a non-empty ‘SecurityToken’ cookie in a request within ‘/ecp’, the frontend delegates the authentication decision to the backend.

However, the default configuration of Microsoft Exchange does not load for the backend ECP site the module responsible for delegating the validation process (DelegatedAuthModule).

“In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature” – Zero-Day Initiative

Exploiting the ProxyToken vulnerability is not complete without another issue, albeit a minor one: requests for the /ecp page need a ticket known as “ECP canary,” which can be obtained when triggering an HTTP 500 error.

As it turns out, requests without the ticket trigger the HTTP 500 error that contains the valid string necessary for successfully issuing an unauthenticated request.

ECP canary string to exploit ProxyToken vulnerability in Microsoft Exchange Server
source: ZDI

A patch has been available from Microsoft since July, according to the company’s public advisory. Rapid7’s Tom Sellers notes that version numbers and dates indicate that the patches had been released as early as April, though.

The vulnerability is not critical. NIST calculated its severity score at 7.5 out of 10. This is because an attacker needs an account on the same Exchange server as the victim.

As an example, a request from an attacker looks like this:

HTTP request to trigger ProxyToken vulnerability in Microsoft Exchange Server

In a blog post today, the Zero-Day Initiative notes that some Exchange server administrators set a global configuration value that permits creating an email forwarding rule to an arbitrary destination. In such cases, the attacker needs no credentials.

Exploit attempts

Although technical details for ProxyToken have been released only today, exploit attempts have been recorded as early as three weeks ago.

According to Rich Warren, red teamer for NCC Group, he saw a larger number of exploitation attempts on August 10.

ProxyToken exploit attempts
source: Rich Warren

As in the case of ProxyShell vulnerabilities, if administrators of Microsoft Exchange servers have not installed the patches for ProxyToken, they should prioritize the task.

Also Read: Protecting Data Online in the New Normal



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us