How can attackers use the SSRF vulnerability to access mailbox data of other users?

After triggering the SSRF, the attacker can call the Exchange Web Service (EWS) to read email content. However, because EWS requires authentication, the attacker leverages a technique from CVE-2018-8581 (privilege escalation) by embedding a `SerializedSecurityContext` in the SOAP header with a target user's SID. This allows the attacker to impersonate any mailbox user. To obtain the SID, the attacker first fetches the user's legacyDn via `/autodiscover/autodiscover.xml`, then queries `/mapi/emsmdb` with that legacyDn to retrieve the SID, as detailed in the ProxyShell exploitation analysis.