CVE-2024-21410: Protect Microsoft Exchange from NTLM Relay Attacks
- [01] Attackers can gain elevated privileges by relaying NTLM credentials against vulnerable Microsoft Exchange Servers.
- [02] Microsoft Exchange Server 2016 and 2019 are at high risk if Extended Protection for Authentication is not enabled.
- [03] Administrators must apply the latest cumulative updates and ensure Extended Protection is active on all virtual directories.
Analysis of the Microsoft Exchange NTLM Relay Threat
According to the SANS ISC Stormcast, recent intelligence highlights the persistent danger posed by credential relaying techniques, specifically targeting enterprise mail infrastructure. The disclosure of CVE-2024-21410 underscores a significant weakness in how Microsoft Exchange Server handles NTLM authentication. This CVE carries a CVSS score of 9.8 due to its potential for remote, unauthenticated Privilege Escalation.
The vulnerability allows a remote attacker to relay a victim’s NTLM credentials—often obtained through Phishing or other initial access TTP methods—to a vulnerable Exchange server. Once relayed, the attacker can perform actions in the context of the victim, which frequently leads to the full compromise of the mail environment or Lateral Movement within the internal network.
Technical Mechanism: How NTLM Relaying Works
NTLM relaying is not a new concept, but its application against Exchange’s RPC and HTTP interfaces is particularly devastating. In a typical scenario, an attacker induces a client to authenticate to an attacker-controlled machine. The attacker then forwards those authentication tokens to the Exchange server. Because the server does not verify that the authentication session is cryptographically bound to the transport layer (TLS), it accepts the relayed credentials as valid.
For an APT group, this vulnerability is a high-value target. By escalating privileges to a ‘Linked Role’ or administrative level, they can bypass traditional security controls to export mailboxes, modify transport rules, or deploy Ransomware. This is why understanding how to detect CVE-2024-21410 exploit activity within your environment is a top priority for the SOC.
Critical Microsoft Exchange Server 2019 Patch Guidance
Defenders must prioritize the implementation of Extended Protection for Authentication (EPA). While Microsoft has enabled EPA by default in recent Cumulative Updates (CU), many legacy environments remain vulnerable because the setting was not retroactively applied or was manually disabled to support older applications.
Following official Microsoft Exchange Server 2019 patch guidance, administrators should:
- Verify that the Exchange Server is running at minimum CU14.
- Use the
ExchangeExtendedProtectionManagement.ps1script to audit the status of virtual directories. - Ensure that SSL Offloading is disabled, as EPA requires the TLS session to terminate at the Exchange server to maintain the integrity of the channel binding tokens.
Mitigating and Preventing NTLM Relay Attacks
To move toward a Zero Trust architecture, organizations should aim to disable NTLM entirely in favor of Kerberos. However, where NTLM remains a business necessity, preventing NTLM relay attacks requires a multi-layered approach.
Defenders should monitor SIEM logs for Event ID 4624 (Successful Logon) where the Logon Type is 3 (Network) and the source IP is unexpected. Additionally, EDR solutions should be configured to alert on anomalous PowerShell execution involving Exchange management modules. By correlating these IoC signatures with MITRE ATT&CK framework techniques such as T1557.001 (LLMNR/NBT-NS Poisoning and SMB Relaying), teams can proactively identify exploitation attempts before full domain compromise occurs.
Advertisement