Security News > 2021 > August > Microsoft Exchange ‘ProxyToken’ Bug Allows Email Snooping
Microsoft Exchange uses two websites; one, the front end, is what users connect to in order to access email.
"The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx," according to a Monday posting on the bug from Trend Micro's Zero Day Initiative.
"For all post-authentication requests, the front end's main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client."
The issue arises specifically in a feature called "Delegated Authentication," where the front end passes authentication requests directly to the back end.
These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end.
Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that isn't loaded.
News URL
https://threatpost.com/microsoft-exchange-proxytoken-email/169030/
Related news
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft fixes Outlook email sending issue for users with many folders (source)
- Over 5,000 Fake Microsoft Notifications Fueling Email Compromise Campaigns (source)
- Microsoft Detects Growing Use of File Hosting Services in Business Email Compromise Attacks (source)
- Microsoft Outlook bug blocks email logins, causes app crashes (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft 365 Admin portal abused to send sextortion emails (source)