CVE-2024-21410

During a brainstorming we came up with a simple solution for protecting against NTLM relay attacks, when using SSO with APM, you simply either block or remove the authorization header on the clientside. All NTLM should only be present between APM and Exchange.

This will give you inside into who is compromised as you can log when you see any clientside NTLM headers. It will also stop any NTLM negotiation attempts from the client browser as that can be considered unwanted information disclosure. 

If you are not deploying APM SSO you could make a semi proteted solution by picking up the first NTLM hash you see from the client and store it in a table. If you encounter a different hash later in the session you know it is bad and can either block it or start alarming. It is not bulletproof, but it is better than nothing.

The word on the street is that EPA is expected to be supported in NEXT, late this year.