Exchange Relay X: A Tool for Exploiting NTLM Relay Vulnerabilities in Exchange Web Services
- Exchange Web Services (EWS) is an API that provides access to most things Outlook has access to and supports NTLM by default
- Exchange Relay X is a tool that exploits NTLM relay vulnerabilities in EWS to pop a user, read, send, delete, and manage their inbox, download their attachments, add forwarding rules, scrape data from Active Directory, and launch spearfishing attacks from inside the organization
- The tool can be used to bypass two-factor authentication and compromise users who are not super technical, such as CFOs
- To fix this vulnerability, organizations should implement modern authentication, MFA, and filter on one three nine four four five, and remember that split tunnel VPNs and IPv6 are typically a gap
The speaker demonstrated how Exchange Relay X can be used to exploit a vulnerability in Outlook Web App (OWA) that is protected by two-factor authentication. The victim receives a phishing email with a malicious link that is masked as a YouTube link. When the victim clicks on the link, the attack is done on their end, and the attacker receives the connection and pops the victim's Exchange server. The attacker can then open up the victim's email, read, send, and delete messages, add forwarding rules, and download all their attachments without showing up in their sent folder. This vulnerability can be a really bad day for users who are not super technical, such as CFOs.