[MART] - Daily Diary #337 - Email Snooping Via Microsoft Exchange Bug

CTAS-MAT ctas-mat at appgate.com
Mon Aug 30 22:25:10 UTC 2021


I hope everyone is doing well!

Below is the entry for today.

08/30/2021 - Diary entry #337:

A new vulnerability called ProxyToken was found on Microsoft Exchange Server. By abusing this vulnerability, a threat actor can perform configuration actions on mailboxes, copying all emails addressed to a target and forward them to another account. Effectively, this can leverage access to an unauthenticated attacker to steal emails from a target's mailbox.

The vulnerability occurs specifically in a feature called Delegated Authentication, where the front end passes authentication requests directly to the back end. However, by default, the modules responsible for that authentication are not loaded, allowing the request to pass without being authenticated.

The bug was reported in July, and it was already patched. As we have seen recently, Microsoft Exchange Server is widely used in several companies, and lots of them use outdated on-premisses versions, making vulnerabilities like those very attractive to attackers. Vulnerabilities in Microsoft Exchange are commonly used as an initial infection vector or for data exfiltration. A similar case is ProxyLogon, an exploit which uses four chained vulnerabilities to create a pre-authentication remote code execution (RCE), covered in our Daily Diary #221, that was widely exploited in the wild to install cryptominers on vulnerable systems.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210830/da2db01c/attachment.htm>

More information about the MART mailing list