Browse Definitions :

Getty Images/iStockphoto

ProxyShell vs. ProxyLogon: What's the difference?

ProxyShell and ProxyLogon both affect Microsoft Exchange Servers, but they work in different ways.

ProxyShell and ProxyLogon are both exploits against on-premises Microsoft Exchange Servers, discovered in 2021. Both vulnerabilities enable threat actors to perform remote code execution on vulnerable systems.

Any organization that has not patched its Exchange Servers since July 2021 may be susceptible to an attack.

It is important to understand how each type of attack works. Here are their similarities and differences:

ProxyLogon

Orange Tsai, principal security researcher at Devcore, is credited with discovering the ProxyLogon exploit. He described it as possibly being the most severe vulnerability in the history of Microsoft Exchange.

ProxyLogon is the name that was given to Microsoft vulnerability number CVE-2021-26855. The ProxyLogon attack can be used against unpatched mail servers running Microsoft Exchange Server 2013, 2016 or 2019 that are set up to receive untrusted connections from the outside world. This enables threat actors to execute commands on unpatched, on-premises Exchange Servers by sending commands across Port 443. ProxyLogon is known as a pre-authenticated vulnerability. This means an attacker does not need to log on or complete any sort of authentication process to execute code remotely.

Read more here about port numbers.

The best thing that organizations can do to protect themselves against this exploit is keep their systems updated with the latest patches. They should also avoid making Exchange Server directly accessible from the internet.

ProxyShell

The ProxyShell exploit was discovered more recently than ProxyLogon. ProxyShell is an attack chain designed to exploit three separate vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207.

Although ProxyShell is a completely different exploit than ProxyLogon, many security researchers consider ProxyLogon to be the genesis of ProxyShell. ProxyLogon acted as something of a proof of concept that eventually led to the creation of ProxyShell.

ProxyShell targets on-premises Exchange Servers running Exchange Server 2013, 2016 or 2019. The threat specifically targets Exchange Client Access Servers -- or CAS servers, as Microsoft often calls them. Microsoft initially introduced CAS servers as front-end servers to protect Exchange mailbox servers.

The idea was that placing mailbox servers behind one or more client access servers kept mailbox servers from being directly accessible from the internet. But the ProxyShell exploit takes advantage of vulnerabilities that exist within Client Access Servers, using them as a tool to remotely execute code on the CAS servers. Some attackers also use the ProxyShell exploit to plant ransomware on vulnerable systems.

Kevin Beaumont, senior threat intelligence analyst at Microsoft, described the ProxyShell vulnerabilities as being worse than ProxyLogon. He said they are more exploitable because most organizations haven't patched, and some threat actors who are exploiting the ProxyShell vulnerabilities are using them as a tool for planting and executing LockFile ransomware.

Attackers know that most Microsoft Exchange Client Access Servers are accessible from the internet. They also know that client access servers are accessible over TCP Port 443. This makes it easy for threat actors to connect to a CAS server and run some simple tests to see if the server is vulnerable to the ProxyShell exploits.

The best defense against ProxyShell is to make sure that Exchange Servers are up to date with the latest Microsoft security patches. Although ProxyShell specifically targets client access servers, it is equally important to keep mailbox servers up to date with the latest patches.

Dig Deeper on Microsoft

SearchNetworking
  • cloud-native network function (CNF)

    A cloud-native network function (CNF) is a service that performs network duties in software, as opposed to purpose-built hardware.

  • microsegmentation

    Microsegmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and ...

  • Wi-Fi 6E

    Wi-Fi 6E is one variant of the 802.11ax standard.

SearchSecurity
  • MICR (magnetic ink character recognition)

    MICR (magnetic ink character recognition) is a technology invented in the 1950s that's used to verify the legitimacy or ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • Android System WebView

    Android System WebView is a system component for the Android operating system (OS) that allows Android apps to display web ...

SearchCIO
  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

  • contingent workforce

    A contingent workforce is a labor pool whose members are hired by an organization on an on-demand basis.

  • product development (new product development -- NPD)

    Product development, also called new product management, is a series of steps that includes the conceptualization, design, ...

SearchHRSoftware
  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

SearchCustomerExperience
  • hockey stick growth

    Hockey stick growth is a growth pattern in a line chart that shows a sudden and extremely rapid growth after a long period of ...

  • Salesforce Trailhead

    Salesforce Trailhead is a series of online tutorials that coach beginner and intermediate developers who need to learn how to ...

  • Salesforce

    Salesforce, Inc. is a cloud computing and social enterprise software-as-a-service (SaaS) provider based in San Francisco.

Close