Background
If ProxyLogon was the wake-up call, ProxyShell was the sequel that proved nobody had actually woken up. Orange Tsai of DEVCORE presented the ProxyShell exploit chain at Black Hat USA 2021 in August, demonstrating a full unauthenticated RCE path against Exchange Server. The chain had already been patched in April and May 2021, but mass exploitation kicked off almost immediately after the Black Hat talk — organisations that hadn’t patched found themselves in serious trouble.
CVE-2021-34473 is the authentication bypass component of the ProxyShell chain. Exchange Server is a critical piece of infrastructure for most enterprises; remote code execution against it typically means full network compromise within hours.
Technical Mechanism
Exchange’s Client Access Service uses an Explicit Logon feature that allows users to access other mailboxes via a URL like /autodiscover/[email protected]. The backend parses the email address after the @ to determine routing.
CVE-2021-34473 exploits a path confusion in this mechanism. By appending /autodiscover/autodiscover.json?@<domain>/ to a URL, an attacker can prepend a path segment that causes Exchange to evaluate the path in the security context of NT AUTHORITY\SYSTEM — effectively achieving authentication as SYSTEM without any credentials.
The full ProxyShell chain:
- CVE-2021-34473 — Path confusion SSRF to achieve backend access as SYSTEM
- CVE-2021-34523 — Exchange PowerShell backend privilege escalation; use the SYSTEM context to access a mailbox you don’t own
- CVE-2021-31207 — Post-auth arbitrary file write via the Exchange Management Shell’s export mailbox feature; write a webshell to a web-accessible path
Step 3 in detail: the attacker creates a malicious email in a mailbox, exports that mailbox to a .pst file with a custom path ending in .aspx, and Exchange writes it to the specified location — dropping a functional webshell.
Real-World Exploitation Evidence
Exploitation began within days of the Black Hat 2021 talk. Key campaigns:
- LockFile ransomware — deployed through ProxyShell in August 2021; targeted manufacturing and financial services
- Conti ransomware affiliates — used ProxyShell as an entry point in multiple high-profile attacks
- BlackByte ransomware — FBI advisory specifically called out ProxyShell as initial vector
- Babuk ransomware — early adopter of this chain
- TA413 (APT targeting Tibetan organisations) — exploited ProxyShell to establish persistence
Shodan scans in August 2021 identified tens of thousands of unpatched Exchange servers, and within a week of the Black Hat talk, researchers observed widespread webshell drops across multiple unrelated campaigns.
Impact Assessment
Exploitation achieves:
- Remote code execution as SYSTEM — the highest privilege level on Windows
- Webshell persistence — shells survive reboots and are difficult to detect without dedicated file integrity monitoring
- Full email access — complete visibility into organisational communications
- Credential harvesting — SYSTEM access allows dumping LSASS memory, SAM hive, and AD replication
- Ransomware deployment — consistently used as the first step in ransomware attacks
- Supply chain risk — compromised Exchange servers used to send phishing emails that appear legitimate
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Microsoft Exchange Server 2013 | CU23 and earlier | KB5003435 |
| Microsoft Exchange Server 2016 | CU20 and earlier | KB5003612 |
| Microsoft Exchange Server 2019 | CU9 and earlier | KB5003612 |
Remediation Steps
- Apply May 2021 patches (KB5003435/KB5003612) if not already done
- Apply the July 2021 cumulative updates for Defence-in-Depth
- Run
Test-ProxyLogon.ps1from the CSS-Exchange repository — it detects ProxyShell indicators too - Audit for webshells in Exchange directories:
Get-ChildItem -Path "C:\inetpub\wwwroot\" -Recurse -Include "*.aspx","*.ashx" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-90)} - Check IIS logs for autodiscover requests with
@characters in unusual positions - Audit mailbox export jobs for unexpected exports:
Get-MailboxExportRequest | Select Name,Status,FilePath - Remove any export requests not initiated by admins
- If compromise is confirmed, engage incident response — patching alone won’t remove dropped webshells
Detection Guidance
IIS logs — look for requests to /autodiscover/autodiscover.json containing @ followed by a domain, especially where the user-agent is unusual or the source IP is external.
Pattern to search for:
autodiscover.json?@[domain]
/autodiscover/autodiscover.json%3F@Exchange logs — monitor C:\Program Files\Microsoft\Exchange Server\V15\Logging\ for PowerShell remoting sessions originating from external IPs.
Windows Event Logs — look for Event ID 4103/4104 (PowerShell script block logging) containing New-MailboxExportRequest.
Suricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"ProxyShell CVE-2021-34473 Autodiscover Exploitation Attempt"; flow:established,to_server; http.uri; content:"/autodiscover/"; content:"@"; distance:0; content:".json"; classtype:web-application-attack; sid:2034002; rev:1;)File integrity monitoring — alert on any new .aspx files written to Exchange web directories, particularly those not matching known Exchange filenames.
Timeline
| Date | Event |
|---|---|
| April 2021 | Microsoft patches CVE-2021-34473 as part of April Patch Tuesday (quietly) |
| May 2021 | CVE-2021-31207 patched in May Patch Tuesday |
| July 2021 | CVE-2021-34523 patched |
| 5 August 2021 | Orange Tsai presents ProxyShell at Black Hat USA 2021 |
| 6 August 2021 | Mass exploitation begins within 24 hours of the talk |
| August 2021 | LockFile and other ransomware groups adopt ProxyShell as initial access vector |
| August 2021 | CISA issues advisory urging immediate patching |
| 2021 | Added to CISA Known Exploited Vulnerabilities catalogue |