How does the implementation achieve credential passing without a domain-joined host?

The implementation adds NTLM authentication to pass credentials, enabling remote access to Exchange PowerShell from any host. It builds upon techniques from ProxyShell exploitation and uses either pypsrp or Flask as a web proxy to filter and modify communication data, or simulates normal Exchange PowerShell communication data directly.