A Security Researcher named Dirk-jan Mollema has recently discovered a vulnerability that affects Exchange and described a way that this vulnerability can be exploited to allow an attacker to obtain escalated privileges.

The attack relies on two key components to be successful.

Firstly by using a man-in-the-middle attack method against an Exchange Server to perform an NTLM relay attack ( an attacker intercepting the authentication process). This in itself isn’t actually an real Exchange vulnerability and its caused by the NTLM over HTTP authentication method that Exchange Server uses.

The second component of this vulnerability relates to the ability of an attacker to force Exchange to attempt to authenticate as the computer account. To do this, the attacker has the ability to use Exchange Web Services in order to force Exchange Server to make a new outbound HTTP call that uses NTLM to attempt to authenticate against an arbitrary URL using the EWS Push Subscription feature.

Microsoft is actively working on a hotfix and is not recommending performing any actions until a hotfix is released.

Stay tuned for Updated info!