A vulnerability in Microsoft Exchange Server can be used to compromise email accounts managed by the email platform, according to the Zero Day Initiative (ZDI), which urges Exchange Server users to install the patch released by Microsoft last month.

ZDI said the vulnerability, known as ProxyToken or CVE-2021-33766, can be exploited to “perform configuration actions on mailboxes owned by arbitrary users.” This might not sound particularly serious, but ZDI cited the ability to “copy all emails addressed to a target and account and forward them to an account controlled by the attacker” as an example of how the exploit could be used.

The fault lies in the Exchange Server architecture. ZDI said the platform sets up two websites: a front-end site that users interact with and a main site that allows the service to operate. The front end doesn’t handle anything involving authentication; this responsibility is transferred to the main site. ProxyToken abuses this configuration to bypass authentication.

ZDI has shared a proof-of-concept exploit that can be used to automatically forward all email from an Exchange user to a different account. This particular exploit requires the attacker to have an Exchange account on the same server as their victim, which limits its potential impact, but the organization noted that other ProxyToken exploits would not have the same requirements.

“On some Exchange installations,” ZDI said, “an administrator may have set a global configuration value that allows forwarding rules with arbitrary Internet destinations, and in this case the attacker does not need any information Exchange Credential”.

ZDI said ProxyToken was leaked by VNPT ISC researcher Le Xuan Tuyen in March; Microsoft released a patch related to the vulnerability in July. Exchange Server customers should install this patch, which was included with that month’s Cumulative Platform Updates, if they want to prevent attackers from exploiting the security flaw to access their email .

This is just the latest in a series of Exchange Server vulnerabilities revealed in recent months. Devcore researcher Orange Tsai has been particularly active in disclosing a number of security flaws collected under the names ProxyLogon, ProxyOracle, and ProxyShell since the Pwn2Own 2021 hack contest in April. Now others have joined the cause.

“Exchange Server continues to be a surprisingly fertile area for vulnerability research,” ZDI said. “This can be attributed to the enormous complexity of the product, both in terms of feature set and architecture. We look forward to receiving additional vulnerability reports in the future from our talented researchers working in this domain.”