A critical vulnerability in Microsoft Exchange Server dubbed as ProxyToken could allow an unauthenticated attacker to access and steal emails from a target’s mailbox.

Microsoft Exchange uses two websites.The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx. For all post-authentication requests, the front end’s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.

The issue is in a feature called “Delegated Authentication,” where the front end passes authentication requests directly to the back end. These requests contain a Security Token cookie that identify them. Exchange has to be specifically configured to have the back end perform the authentication checks. But by default it won’t be loaded.

Since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature back end doesn’t know to authenticate the requests. This results in requests bypasses the authentication in both ends. Attacker could create forwarding rule allowing them to read the victim’s incoming mail.

The ProxyToken comes after the disclosure of ProxyLogon earlier this year. That’s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit.