Relaying NTLM straight into Exchange (CVE-2024-21410)
If your on-prem Exchange does not enforce Extended Protection, an attacker can coerce a victim's NTLM and relay it straight in, authenticating as them. Here is CVE-2024-21410, and the fix that actually closes it.
A password reset will not fix this one, because the attacker never needed the password.
What it is
CVE-2024-21410 is an elevation of privilege in on-prem Microsoft Exchange Server. An attacker coerces a victim’s NTLM authentication and relays it to an Exchange Server that does not enforce Extended Protection for Authentication, so the server accepts the relayed session and the attacker acts with the victim’s Exchange privileges. This is T1557 (adversary-in-the-middle) and T1187 (forced authentication) into T1078 (valid accounts) and T1068.
Why it works
Without Extended Protection (channel binding), Exchange cannot tell a relayed session from a real one, and any coercible account can be relayed, so resetting one user does not close the hole.
How to detect it
Look for coercion patterns followed by Exchange authentication for an account arriving from an unexpected host with no channel binding, in the Exchange and IIS logs.
The fix that holds
Apply the February 2024 Exchange update and enforce Extended Protection for Authentication on all Exchange roles, which rejects relayed sessions. Then reduce NTLM, enable SMB and LDAP signing, and patch coercion vectors. Because Exchange is highly privileged, check that the foothold did not spread into Active Directory.
Practice it
We built a CVE-2024-21410 scenario in GraphLattice Range so teams learn why Extended Protection, not a password reset, is the fix, and how to check for AD spread.