NTLM relay is an attack technique that intercepts Windows NTLM authentication messages and forwards them to another service that will accept them. Instead of cracking a password, the attacker reuses the victim’s live authentication exchange to impersonate that user or machine. This can lead to unauthorized access, especially when services do not require additional protections such as signing, channel binding, or strong multi-factor authentication.
It matters because NTLM is still present in many enterprise networks, legacy applications, and administrative workflows. Attackers often use relay against SMB, LDAP, HTTP, or other services to gain privileges, create accounts, or reach sensitive systems from an exposed perimeter. Defenders reduce risk by disabling NTLM where possible, enforcing SMB signing and LDAP signing, using MFA for remote access, segmenting networks, and monitoring for unusual authentication paths or suspicious logon chains.