As of June 13th, 2024 SigParser's cloud environment no longer supports NTLM authentication for Exchange servers. We only support Basic going forward.
The SigParser On Premise Engine continues to be able to connect to Exchange when run on a Windows operating system. If you would like to use our On Premise Engine please contact support. Future versions of Windows Server may not support Exchange though so the On Premise Engine may only work up to Windows Server 2022.
⚠️ We suggest customers still using Exchange move to Microsoft 365 hosted email and connect via mail enabled security groups with app registrations.
Basic Authentication
Your Exchange server needs to use Basic authentication. We recommend Basic as long as your Exchange server is using HTTPS and it is a good fit for your organization.
How can I know which authentication types are supported by my Exchange server?
Go to your Exchange server URL in a browser with the dev tools open and look at the response headers.
The three Www-Authenticate headers in the picture indicate the server will accept both NTLM and Basic connections. The "Negotiate" header tells our client that the server can handle multiple types of connections.
Why is NTLM no longer supported?
In order to maintain operational security SigParser upgrades to the latest software versions from Microsoft. .NET 6 long term support was ending and when SigParser upgraded to .NET 8 NTLM authentication for Exchange was broken on the official Linux images distributed by Microsoft. Microsoft is unlikely to fix this. Since almost all of our past Exchange customers have moved over to Microsoft 365 SigParser has decided not to support Exchange connectivity via NTLM in our cloud environment.
Additional Context
Microsoft announced in October 2023 they are deprecating NTLM on Windows 11 and officially deprecated it on June 4th, 2024. NTLM has been involved in various attacks included NTLM relay attacks.
From Bleeping Computer:
A new DFSCoerce Windows NTLM relay attack has been discovered that uses MS-DFSNM, Microsoft's Distributed File System, to completely take over a Windows domain.
Many organizations utilize Microsoft Active Directory Certificate Services, a public key infrastructure (PKI) service that is used to authenticate users, services, and devices on a Windows domain.
However, this service is vulnerable to NTLM relay attacks, which is when threat actors force, or coerce, a domain controller to authenticate against a malicious NTLM relay under an attacker's control.