Headline
Mitigating NTLM Relay Attacks by Default
Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.
Introduction
In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.
With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.
Background
NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:
Coercing a victim to authenticate to an arbitrary endpoint.
Relaying the authentication against a vulnerable target.
By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.
Enabling NTLM Relay mitigations
In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.
In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.
Exchange Server
It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.
Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.
We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.
AD CS and LDAP
We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.
With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.
Looking ahead: The future of NTLM
NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.
The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.
The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.
Rohit Mothe
George Hughey
MSRC Vulnerabilities & Mitigations Team
Related news
The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.
The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
By Deeba Ahmed Russian hackers, part of Russia’s Main Intelligence Directorate of the General Staff, are using compromised Ubiquiti EdgeRouters to… This is a post from HackRead.com Read the original post: FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
By Waqas The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device. This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware
By Waqas The #MonikerLink security flaw in Microsoft Outlook allows hackers to execute arbitrary code on the targeted device. This is a post from HackRead.com Read the original post: New MonikerLink Flaw Exposes Outlook Users to Data Theft and Malware
One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.
Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday.
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities
Technical details have emerged about two now-patched security flaws in Microsoft Windows that could be chained by threat actors to achieve remote code execution on the Outlook email service sans any user interaction. "An attacker on the internet can chain the vulnerabilities together to create a full, zero-click remote code execution (RCE) exploit against Outlook clients," Akamai security
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.
Microsoft WordPad Information Disclosure Vulnerability
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "
Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.
Microsoft disclosed 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]
Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.