An NTLM Relay attack is a credential forwarding technique that exploits the NTLM authentication protocol across any service that supports it, not just SMB. The attacker intercepts an NTLM authentication exchange and relays it to a different service or server, gaining the victim's level of access on the target. NTLM relay can target LDAP, HTTP, MSSQL, Exchange, and other protocols that accept NTLM authentication.
The attacker coerces or waits for a victim to authenticate using NTLM. This can be triggered through LLMNR poisoning, malicious document links, or forced authentication techniques. The attacker acts as a man-in-the-middle, receiving the victim's NTLM authentication messages and forwarding them to a target service. The target service completes the authentication, believing it is communicating directly with the victim. Depending on the relayed service, the attacker may gain the ability to read or modify Active Directory objects via LDAP, execute queries on databases via MSSQL, or access mailboxes via Exchange. Tools like ntlmrelayx support multi-protocol relay and automated post-exploitation including adding users, modifying ACLs, or dumping credentials.
NTLM Relay attacks remain one of the most impactful Active Directory attack vectors because NTLM is still widely enabled for backward compatibility. A single relayed authentication from a privileged account can lead to full domain compromise when relayed to LDAP for ACL modifications. Organizations should enforce Extended Protection for Authentication, disable NTLM where feasible, require channel binding on all services, and implement credential guard to protect against NTLM credential theft and relay.