ProxyToken Exchange Server Vulnerability CVE-2021-33766

Home / Threat Intelligence bulletins / ProxyToken Exchange Server Vulnerability CVE-2021-33766

Overview

Details of another Microsoft Exchange exploit (CVE-2021-33766) have been published. The vulnerability was patched in April and since then exploitation attempts have been observed in the wild.

By exploiting this vulnerability, an attacker can perform configuration actions on mailboxes belonging to arbitrary users.

Impact

A remote, unauthenticated actor could set up a mail forwarding rule to forward emails to an attacker-controlled inbox.

Detection

The following hunting query can be used to detect exploitation attempts.

W3CIISLog
| where not(ipv4_is_private(cIP))
| where csMethod =~ “POST”
| where csUriStem has “/ecp”
| where isnotempty(csCookie) and csCookie has “SecurityToken”
| where csUriQuery has “msExchEcpCanary”
| extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP

Affected Products

The following products may be vulnerable if not recently patched.

– Exchange Server 2013 up to CU23
– Exchange Server 2016 up to CU20
– Exchange Server 2019 up to CU9

Microsoft recommend using their Exchange Server Health Checker script to get an inventory of server patch levels.

Containment, Mitigations & Remediations

Microsoft patched this vulnerability in April although it didn’t assign a CVE at the time so it wasn’t tracked as a security patch.

Mitre Methodologies

T1190 Exploit Public-Facing Application

Further Information

Proxytoken: An Authentication Bypass In Microsoft Exchange Server