Microsoft has announced new default security protections meant to make it more difficult for threat actors to mount NTLM relay attacks against on-premises Exchange servers.

As part of such attacks, threat actors target the NTLM (New Technology LAN Manager) authentication protocol by tricking the victim into authenticating to an arbitrary endpoint and then relaying the authentication against a vulnerable target.

Successful attacks, which typically exploit NTLM coercion vulnerabilities, lead to account compromise and allow attackers to perform actions on behalf of the victim.

NTLM relay attacks can be mounted against Exchange servers through Office documents and messages sent via Outlook, to exploit security defects such as CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 and take over victim accounts.

While not aware of any active NTLM relaying attacks against Exchange, Microsoft has decided to improve its protections against this assault vector, knowing that Exchange can be a prime target for threat actors looking to exploit NTLM coercion flaws.

Earlier this year, the tech giant released an update to enable Extended Protection for Authentication (EPA) by default in Exchange Server 2019, and has now made Windows Server 2025 generally available with EPA enabled by default.

Furthermore, the new release also comes with channel binding enabled by default for the Lightweight Directory Access Protocol (LDAP), and EPA is now enabled by default on Azure Directory Certificate Services (AD CS), further mitigating the risk of NTLM relaying attacks.

“Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks,” Microsoft says.

The tech giant previously published guidance for enabling EPA on AD CS, LDAP, and Exchange Server, but has decided to automatically safeguard environments by enabling the protection by default.

In Exchange Server 2016, which is in extended support, EPA can be enabled via a script. On Windows Server 2022 and 2019, administrators can manually enable EPA for AD CS and channel binding for LDAP.

“We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding,” the tech giant notes.

Microsoft also removed NTLMv1 from and deprecated NTLMv2 in Windows Server 2025 and Windows 11 24H2 and plans to enable EPA by default across more services in the future, to eliminate this class of NTLM relay attacks completely.

“As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future,” the company notes.

Last week, 0patch announced that a new vulnerability in all Windows versions after Windows 7 and Windows Server 2008 R2 allows attackers to harvest a user’s NTLM credentials “by simply having the user view a malicious file in Windows Explorer”. The vulnerability has yet to be patched by Microsoft.

Related: Microsoft Improving Windows Authentication, Disabling NTLM

Related: New NTLM Hash Leak Attacks Target Outlook, Windows Programs

Related: Organizations Warned About DoS Flaws in Popular Open Source Message Brokers

Related: Microsoft Word subDoc Feature Allows Password Theft