Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Researcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

Microsoft Exchange 2013 and newer versions allow an attacker to escalate privileges when performing a NT LAN Manager (NTLM) relay attack, a security researcher warns.

Microsoft Exchange 2013 and newer versions allow an attacker to escalate privileges when performing a NT LAN Manager (NTLM) relay attack, a security researcher warns.

According to Dirk-jan Mollema, who discovered the vulnerability, the attack is in fact a combination of multiple known flaws and could be exploited by any user with a mailbox to escalate privileges to Domain Admin access. 

The first issue is that, in organizations using Active Directory and Exchange, Exchange servers have high-enough privileges to allow an admin on the Exchange server to escalate to Domain Admin. With NTLM authentication vulnerable to relay attacks, one can get Exchange to authenticate to an arbitrary URL over HTTP via the PushSubscription feature, the researcher says.

“Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks,” a CERT/CC vulnerability note reads. 

The ability to force Exchange to authenticate via the PushSubscription feature was initially discovered by researchers with ZDI, who used it to perform a reflection attack (they relayed the NTLM authentication back to Exchange). 

Mollema, however, discovered that this could be combined with the high privileges in Exchange to perform a relay attack and gain DCSync rights. An option in the push notification service makes it possible to send a message every X minutes, and the attack ensures that Exchange connects even when there is no activity in an inbox.

“Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server,” CERT/CC explains.

Mollema also reveals that the attack can be performed using compromised credentials, but that an actor in a position to perform a network attack could trigger Exchange to authenticate even if they don’t have credentials. 

Some of the mitigations organizations could apply include removing unnecessary high privileges that Exchange has on the Domain object, enabling LDAP signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively, and blocking Exchange servers from making connections to workstations on arbitrary ports. 

The CERT/CC also notes that, while it isn’t aware of a practical solution to this problem, a workaround developed by a third party does exist, and that impacted organizations should consider applying the mitigations proposed by Mollema. 

Related: Microsoft Patches LDAP Relay Vulnerability in NTLM

Related: PDF Files Can Silently Leak NTLM Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.