One-Click to OWA

Exchange Relay X: A Tool for Exploiting NTLM Relay Vulnerabilities in Exchange Web Services

• Exchange Web Services (EWS) is an API that provides access to most things Outlook has access to and supports NTLM by default
• Exchange Relay X is a tool that exploits NTLM relay vulnerabilities in EWS to pop a user, read, send, delete, and manage their inbox, download their attachments, add forwarding rules, scrape data from Active Directory, and launch spearfishing attacks from inside the organization
• The tool can be used to bypass two-factor authentication and compromise users who are not super technical, such as CFOs
• To fix this vulnerability, organizations should implement modern authentication, MFA, and filter on one three nine four four five, and remember that split tunnel VPNs and IPv6 are typically a gap

The speaker demonstrated how Exchange Relay X can be used to exploit a vulnerability in Outlook Web App (OWA) that is protected by two-factor authentication. The victim receives a phishing email with a malicious link that is masked as a YouTube link. When the victim clicks on the link, the attack is done on their end, and the attacker receives the connection and pops the victim's Exchange server. The attacker can then open up the victim's email, read, send, and delete messages, add forwarding rules, and download all their attachments without showing up in their sent folder. This vulnerability can be a really bad day for users who are not super technical, such as CFOs.

With the presense of 2FA/MFA solutions growing, the attack surface for external attackers that have successfully phished/captured/cracked credentials is shrinking. However, many 2FA/MFA solutions leave gaps in their coverage which can allow attackers to leverage those credentials. For example, while OWA may be protected with 2FA, the Exchange Web Services Management API (EWS) offers many of the same features and functionalities without the same protections. In this talk, I will introduce ExchangeRelayX, an NTLM relay tool that provides attackers with access to an interface that resembles a victim's OWA UI and has many of its functionalities - without ever cracking the relayed credentials.  ExchangeRelayX takes advantage of the gap in some 2FA/MFA solutions protecting Exchange, potentially resulting in a single-click phishing scheme enabling an attacker to exfiltrate sensitive data, perform limited active-directory enumeration, and execute further internal phishing attacks.