Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
[CVE-2026-1234]Windows CLFS Driver zero-day — active exploitation in the wild, patch immediately|
[CVE-2026-0891]Fortinet FortiOS auth bypass — unauthenticated RCE on SSL-VPN appliances|
[CVE-2026-2201]Palo Alto PAN-OS command injection — CVSS 9.8, firewall management interfaces exposed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed, 12 rated Critical|
[BREACH]Healthcare provider data breach exposes 2.3M patient records — HIPAA enforcement expected|
[CVE-2026-1887]Chrome V8 engine type confusion — remote code execution via malicious web pages|
[COMPLIANCE]PCI DSS 4.0.1 deadline approaching — multi-factor authentication now mandatory for all access|
[CVE-2026-3310]Cisco IOS XE privilege escalation — network devices running 17.x firmware at risk|
[RANSOMWARE]LockBit 4.0 variant targeting SMBs via exposed RDP — San Antonio businesses at elevated risk|
[ADVISORY]Adobe Acrobat Reader critical update — PDF-based phishing campaigns exploiting unpatched installs|
View All
NTLM Relay Attacks Surge 300% — Microsoft Issues Urgent Guidance
Security News/Issue #15 — March 31 – April 6, 2026
THREAT INTELCRITICAL

NTLM Relay Attacks Surge 300% — Microsoft Issues Urgent Guidance

April 3, 2026
5 min read
Source: Microsoft Threat Intelligence
Affected Systems
Windows Active DirectoryWindows Server 2019/2022Windows 10/11 domain-joined systemsSMB file sharesExchange Server
Executive Summary

Microsoft's threat intelligence team reported a 300% increase in NTLM relay attacks targeting Windows environments in Q1 2026. SMBs using on-premises Active Directory are particularly at risk.

What Are NTLM Relay Attacks

NTLM (NT LAN Manager) is a legacy Windows authentication protocol that has been largely superseded by Kerberos but remains widely used in Windows environments for backward compatibility. NTLM relay attacks exploit a fundamental weakness in the NTLM authentication process: when a Windows system authenticates to a server using NTLM, an attacker positioned between the client and server can capture the authentication exchange and relay it to a different server, effectively impersonating the victim. This allows attackers to authenticate to other systems on the network using the victim's credentials without ever knowing the actual password.

Why Attacks Are Surging

Microsoft's threat intelligence team observed a 300% increase in NTLM relay attacks in Q1 2026 compared to Q1 2025. Several factors are driving this surge. First, improved tooling — open-source attack tools like Responder and ntlmrelayx have become more sophisticated and easier to use. Second, many organizations still have NTLM enabled throughout their environments due to legacy application dependencies. Third, attackers have found new techniques to trigger NTLM authentication from victim systems, including through malicious Office documents, printer spooler abuse, and WebDAV coercion. Once an attacker gains a foothold on a network — even with limited privileges — NTLM relay attacks can quickly escalate to domain administrator access.

Mitigations and Protections

Microsoft recommends a layered approach to mitigating NTLM relay attacks. First, enable SMB signing on all Windows systems — this prevents relay attacks over SMB. Second, enable LDAP signing and channel binding on all domain controllers — this prevents relay attacks targeting Active Directory. Third, enable Extended Protection for Authentication (EPA) on all IIS and Exchange servers. Fourth, consider disabling NTLM entirely if your environment supports it — Microsoft has published guidance on how to audit and gradually disable NTLM. Fifth, implement network segmentation to limit the blast radius if an attacker does gain a foothold.

Key Takeaways & Action Items
  • Disable NTLM authentication where possible — use Kerberos instead
  • Enable Extended Protection for Authentication (EPA) on all IIS and Exchange servers
  • Enable SMB signing on all Windows systems to prevent relay attacks
  • Implement LDAP signing and channel binding on all domain controllers
  • Contact Segler.Net to assess your NTLM exposure and implement mitigations

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #15: March 31 – April 6, 2026
PREVIOUS ARTICLE
CMMC 2.0 Level 2 Assessments Now Required for DoD Contractors
NEXT ARTICLE
Healthcare Data Breach: 890,000 Patient Records Exposed via Third-Party Vendor
Talk with Us