Research by Decoder reveals that Windows Server 2025 introduces hidden modifications to Microsoft's authentication mechanisms that affect how NTLM relay attacks work. The study focuses on how new policies and updated SMB, LDAP, and HTTP components have altered attack behavior within domain environments.

The shift is driven not by а new security policy, but by internal changes to the Microsoft v1 authentication package (msv1_0.dll). This package now strictly blocks the generation of NTLMv1 for cross-domain requests, effectively closing a legacy NTLM attack vector between Domain Controllers (DCs) that was previously a staple in penetration testing and red teaming.

📎 Article: https://decoder.cloud/2026/02/25/what-windows-server-2025-quietly-did-to-your-ntlm-relay/

💬 Discuss

Changes in NTLM relay in Windows Server 2025