NTLM relay attacks, once considered a legacy threat, have made a dangerous resurgence in modern Active Directory environments. As organizations continue to rely on Windows-based infrastructure, attackers are refining old techniques to exploit weaknesses in NTLM authentication. This article explores why these attacks are back, how they work in 2025's threat landscape, and most importantly - how to protect your systems.

Why NTLM Relay Attacks Are Back with a Vengeance

Despite Microsoft's push for Kerberos adoption, NTLM authentication remains widely used for backward compatibility. Recent studies show:

  • 65% of enterprises still have NTLM traffic in their networks (2025 Security Benchmark Report)
  • 40% increase in NTLM relay attacks since 2023 (CrowdStrike Threat Report)
  • Average dwell time of 28 days before detection when using relay techniques

The resurgence stems from three key factors:

  1. Cloud migration complexities creating hybrid authentication gaps
  2. Legacy system dependencies that can't fully transition to Kerberos
  3. New coercion techniques that force NTLM authentication even in modern environments

How Modern NTLM Relay Attacks Work

Today's attackers use sophisticated variants of the classic relay technique:

graph LR
    A[Initial Compromise] --> B[Discover NTLM-enabled services]
    B --> C[Set up relay server]
    C --> D[Coerce authentication]
    D --> E[Relay to target system]
    E --> F[Privilege escalation]

Common Attack Paths in 2025:

  • LDAP relay to Domain Controllers: Attackers relay credentials to modify AD objects
  • SMB relay for lateral movement: Moving between workstations with stolen credentials
  • HTTP relay to cloud services: Exploiting hybrid environments
  • Certificate Services attacks: Obtaining fraudulent certificates for persistence

Critical Vulnerabilities Being Exploited

Recent attacks leverage several specific weaknesses:

Vulnerability Impact Mitigation
Missing SMB Signing Allows credential relay Enable SMB signing globally
LDAP Channel Binding Permits DC attacks Require LDAP signing and channel binding
Web Proxy Auto-Discovery (WPAD) Enables authentication coercion Disable WPAD where unused
Print Spooler service Provides NTLM coercion vector Disable if not required

Detection: Finding Relay Attacks in Your Network

Modern detection requires looking for these telltale signs:

  • Unusual authentication patterns: Logons from unexpected locations or at odd hours
  • SMB or LDAP requests without signing: Visible in packet captures
  • Account lockouts following authentication attempts: Especially for privileged accounts
  • Unexpected NTLM traffic: Between systems that should use Kerberos

Advanced detection tools can help:

  • Microsoft Defender for Identity now includes specialized NTLM relay detection
  • Azure Sentinel NTLM relay hunting queries
  • Third-party solutions like BloodHound for attack path visualization

Comprehensive Defense Strategies

1. Authentication Hardening

  • Enable SMB signing on all devices via Group Policy
  • Require LDAP signing and channel binding on Domain Controllers
  • Implement EPA (Extended Protection for Authentication) for web services

2. Network-Level Protections

  • Segment networks to limit credential movement
  • Disable NTLMv1 and require NTLMv2
  • Implement firewall rules to block unnecessary SMB/LDAP between segments

3. Active Directory Configuration

  • Enable Protected Users group for sensitive accounts
  • Implement Authentication Policies and Silos (Windows Server 2025 feature)
  • Audit NTLM usage with Microsoft's NTLM auditing tools

4. Cloud and Hybrid Protections

  • Implement conditional access policies in Azure AD
  • Use Azure AD Connect Health to monitor authentication
  • Enable hybrid security features like Cloud PKI

The Future of NTLM Security

Microsoft has announced plans to deprecate NTLM in Windows Server 2026, but until then:

  • Expect more sophisticated relay variants targeting cloud integrations
  • AI-powered detection will become crucial as attacks evolve
  • Quantum-resistant algorithms may eventually replace both NTLM and Kerberos

Actionable Steps to Take Today

  1. Run the NTLM audit tool to identify usage in your environment
  2. Prioritize SMB and LDAP signing configurations
  3. Educate staff about phishing risks that enable initial access
  4. Implement network segmentation to contain potential attacks
  5. Monitor for authentication anomalies using modern security tools

NTLM relay attacks remain one of the most effective ways attackers move through networks. By understanding the modern variants and implementing layered defenses, organizations can significantly reduce their risk profile in 2025's threat landscape.