ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!

Conference:  BlackHat USA 2021



The presentation discusses the importance of securing Exchange servers and highlights the vulnerabilities found in the architecture of Exchange servers.
  • Exchange servers are high value assets for corporations as they store confidential information
  • Exchange servers have been a top target for nation-state actors for a long time
  • There are more than 400,000 Exchange servers exposed on the internet, making it crucial to secure them
  • The presentation reviews the architecture of Exchange servers and finds a new attack service
  • The attack service uncovered vulnerabilities and trained bugs into three attacking exploits
  • The presentation highlights the importance of logic bugs and their ease of exploitation
  • The client access service (CAS) is a fundamental component in Exchange servers and is vulnerable to attacks
  • The presentation provides a detailed architecture of CAS and how it is vulnerable to attacks
The presenter mentions a critical vulnerability in Exchange servers that was a hard-coded crypto key, which shows that Exchange servers still have security weaknesses despite being patched by Microsoft. The presenter also mentions that even if a researcher finds a super critical vulnerability, Microsoft may not reward them any bounty if it is out of scope.


Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.