How NTLM Relay Ruins Your Exchange Servers


August 24, 2023




Track 2

NTLM Relay is a classic attack against Windows systems. Although proposed many years ago, it is still a hot topic among red teams, especially in Active Directory environments. Exchange Server, as the most widely used mail server in the world, has also attracted more and more attention from attackers, many Exchange 0days with great impact have been found and even exploited in the wild in recent years.

What will happen when Exchange Server meets with NTLM Relay?

In this talk, I will uncover a rarely known NTLM relay attack surface of Exchange Server. This attack surface is an architectural design issue in Exchange cluster environment, which affects about 60% of the Exchange frontend endpoints and 70% of the Exchange backend endpoints. By exploiting these vulnerabilities, attackers can take over any Exchange user’s mailbox and have the power to read emails, send emails, download attachments, and more. Some of these vulnerabilities can result in RCE on Exchange Server.

I’ll walk you through all these vulnerabilities in this talk, including their root causes, how to exploit them, patches, and patch bypasses, and what you can do to protect your Exchange Servers.

Senior Security Researcher


Tianze Ding (@D1iv3), senior security researcher at Tencent Security Xuanwu Lab. His research focuses on Windows Active Directory Security, Cloud Security and Web Security. He has reported numerous vulnerabilities to Microsoft, Apple, Google, etc. and was awarded Microsoft MVR (Microsoft Most Valuable Security Researchers) in 2022. He has also spoken at DEFCON 29 and BlackHat Asia 2021.