How does the man-in-the-middle (MITM) attack work for this vulnerability, and what is the end goal?

An attacker in a privileged network position can hijack the Microsoft domain used to download configuration files (e.g., via ARP spoofing or DNS poisoning). When an administrator runs `Update-ExchangeHelp`, the Exchange server fetches a malicious XML manifest from the attacker-controlled server, which points to a crafted CAB file. The CAB file contains a webshell (e.g., `poc.aspx`) written to the web root (`C:\inetpub\wwwroot\aspnet_client`) via directory traversal, achieving remote code execution. For a deeper understanding of related Exchange exploits, see ProxyShell Analysis 1 and ProxyOracle Analysis 2.