CVE-2021-33766

What is Microsoft Exchange and the Delegated Authentication Module?

Microsoft Exchange Server processes all email for an organization — inbound, outbound, and internal. Exchange's web interfaces (Outlook Web Access/OWA) use various authentication mechanisms including delegated authentication, which allows the Exchange Front End (acting as a proxy) to pass authentication decisions to a backend authentication module. The Delegated Authentication Module is responsible for validating credentials for specific Exchange endpoints. When this module is misconfigured or has a flaw, it can allow unauthenticated requests to appear authenticated — bypassing Exchange's primary security boundary and enabling unauthorized mailbox manipulation.

Overview

CVE-2021-33766, publicly named ProxyToken, is an information disclosure vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to configure mailbox forwarding rules and steal victim email. The vulnerability lies in Exchange's Delegated Authentication feature: by sending a request with a non-empty SecurityToken cookie to the /ecp/ (Exchange Control Panel) endpoint, the front-end proxy delegates authentication to the backend, which fails to validate the token and treats the request as authenticated. This allows an unauthenticated attacker to create server-side inbox rules — including rules that silently copy or forward all incoming email to an attacker-controlled address — for any mailbox on the Exchange server. Microsoft patched this in July 2021 Patch Tuesday. DEVCORE researcher Le Xuan Tuyen and Zero Day Initiative published the technical details in August 2021.

Affected Versions

Technical Details

• Root cause: Authentication bypass in Exchange's Delegated Authentication path — when a request arrives at the /ecp/ endpoint with a non-empty SecurityToken cookie, the Exchange Front End passes the request to the Delegated Authentication module on the backend; the backend module checks if the SecurityToken is enabled in the configuration (it is not by default), and if not enabled, it processes the request as if authentication succeeded — effectively treating unauthenticated requests as authenticated
• Mailbox forwarding rule creation: Once the authentication bypass allows access to the Exchange Control Panel, the attacker can create server-side transport rules or inbox rules for any mailbox — including rules that forward copies of all incoming email to an external attacker-controlled address
• No authentication required: CVSS PR:N — any network-accessible attacker can exploit this; no credentials are required, and the attack does not require tricking a user
• Information theft focus: Unlike code execution vulnerabilities, ProxyToken's primary impact is silent email theft — the targeted organization may not detect forwarding rules immediately, allowing sustained email interception
• Exchange chain context: ProxyToken was discovered during DEVCORE's broader Exchange security research that also produced ProxyLogon (CVE-2021-26855) and ProxyShell, reflecting systematic analysis of Exchange authentication and proxy mechanisms

Discovery

Discovered by Le Xuan Tuyen of DEVCORE Research Team as part of a broader Exchange security research project. DEVCORE reported the vulnerability to Microsoft through Zero Day Initiative. ZDI and DEVCORE published the technical ProxyToken analysis on August 17, 2021, after the July 2021 patch.

Exploitation Context

ProxyToken's ability to silently create mailbox forwarding rules makes it particularly dangerous for business email compromise (BEC) and intelligence collection scenarios. An attacker who exploits ProxyToken against an executive's mailbox receives a real-time copy of all incoming email — including financial discussions, merger communications, legal matters, and credentials — without the victim detecting any change. The January 2022 CISA KEV addition (six months after the patch) reflects confirmed exploitation against Exchange servers that remained unpatched following the active Exchange exploitation period of 2021. Exchange organizations that applied ProxyLogon/ProxyShell patches but did not apply the July 2021 Patch Tuesday updates remained vulnerable to ProxyToken's unauthenticated email theft.

Remediation

1. Apply July 2021 Patch Tuesday Security Updates for Exchange Server 2013, 2016, and 2019
2. After patching, audit existing Exchange inbox rules and transport rules for unauthorized forwarding rules to external addresses — PowerShell: Get-InboxRule -Mailbox * | Where-Object {$_.ForwardTo -ne $null -or $_.ForwardAsAttachmentTo -ne $null}
3. Remove any suspicious forwarding rules discovered during the audit
4. Consider disabling external email forwarding at the organization level if it is not a business requirement: use Exchange transport rules to block automatic forwarding to external domains
5. Enable Microsoft Defender for Office 365 or equivalent — it can detect anomalous forwarding rule creation as a suspicious activity indicator
6. Review Exchange admin logs for /ecp/ requests with SecurityToken cookies from external IP addresses during the vulnerability window