If you think you’ve blocked NTLMv1 in your organization, think again. Silverfort’s research team recently discovered that attackers bypass the Group Policy designed to disable NTLMv1, allowing insecure authentications to persist in Active Directory environments. These key findings highlight a critical gap: even when organizations believe they’ve secured their systems, NTLMv1 remains a hidden backdoor for credential theft, lateral movement , and privilege escalation. With over 64% of Active Directory accounts still authenticating with NTLM protocols despite its known weaknesses, NTLMv1 continues to represent a serious risk. TL;DR News: Silverfort’s research team discovered a new way for attackers to use NTLMv1 in attacks, despite efforts to disable it. Using a misconfiguration in on-prem applications, attackers can bypass the Group Policy designed to stop NTLMv1 authentications. Why it matters: 64% of Active Directory user accounts regularly authenticate with NTLM, despite its known weaknesses and being deprecated by Microsoft. Many organizations attempted to solve the NTLMv1 problem with an Active Directory Group Policy. However, we discovered that this policy is flawed and allows NLTMv1 authentications to persist, creating a false sense of protection and leaving organizations exposed. Attackers know NTLMv1 is a weak authentication protocol and actively seek it out as a method to move laterally or escalate privileges. Who’s affected: Any organization who uses third-party or home-grown on-prem applications and those who do not strictly use Windows machines. For example, if a Mac computer connects to a bank application, they could be compromised. Impact to organizations: An attacker sitting on a network can see the NTLMv1 traffic and crack the users’ credentials offline, opening the door to lateral movement and privilege escalation . Our POC emulates an application bypassing the fencing, validating this misconfiguration works to an attacker’s advantage. Result of disclosure: While Microsoft Security Response Center (MSRC) indicated the NTLMv1 bypass is not a vulnerability, they took proactive measures to enhance security by announcing the complete removal of NTLMv1 within two months of our disclosure, starting with Windows 11 version 24H2 and Windows Server 2025. We recently hosted a webinar where I took people through the research in more detail, showing how to mitigate NTLMv1 authentications in the absence of a patch. You can watch this webinar on demand here. On-demand webinar Unveiling NTLMv1 Vulnerabilities: Risks and Mitigation Strategies in Active Directory Environments. Watch it here Summary & Mitigations Despite its historical significance, NTLM represents a considerable security liability. Its outdated cryptographic methods, well-documented weaknesses and lack of modern security features (such as MFA and server identity validation) make it an attractive target for attackers. NTLMv1 hashes can be intercepted and used for authentication relay attacks or even dictionary attacks, granting attackers unauthorized access to sensitive systems. New NTLM vulnerabilities have been disclosed over the last few months, including a zero-day. More recently, CyberSky discovered an NTLM vulnerability exploited by Russian threat actors as part of an attack chain that delivers the open-source Spark RAT malware. Many organizations proactively use Microsoft’s Group Policy mechanism to stop NTLMv1, believing this will protect them from insecure NTLMv1 authentications. However, our research shows on-prem applications can be configured to enable NTLMv1, negating the Group Policy LAN Manager’s highest authentication level set in Active Directory . Organizations think they are doing the right thing by setting this group policy, but it’s still being bypassed by the misconfigured application. Until applications cannot be configured to authenticate with NTLMv1, the problem will persist. At Silverfort, we’ve seen many attempts to authenticate via NTLMv1 across our customer base. We work closely with our customers to map and detect NTLMv1 usage and apply risk-based fencing to reduce the risk of compromise. Without a patch for NLTMv1, businesses that used NTLMv1 in the past should consider the following: Enabling audit logs for all NTLM authentications in the domain. Mapping all applications that use NTLM authentications in the first instance or as a fall back. Detecting vulnerable applications that request clients use NTLMv1 messages. Fencing all NTLM with a modern authentication method. Guide to eliminating NTLM completely from your environment Windows 10 End of Life means NTLM authentication is going away. Read how to detect and eliminate NTLM usage with this step-by-step guide. Read now What is NTLMv1 and why is it a problem? NTLM (NT LAN Manager) is a legacy Microsoft authentication protocol that dates back to the early 1990s. It was originally designed to verify user identities in Windows networks, and while it has been large...