Headers: Self-sender using Microsoft CompAuth bypass with credential theft content

 1name: "Headers: Self-sender using Microsoft CompAuth bypass with credential theft content"
 2description: "Detects messages sent to self or invalid domains containing credential theft content that bypass Microsoft's CompAuth while failing both SPF and DMARC authentication checks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender
 8  and length(recipients.to) == 1
 9  and length(recipients.cc) == 0
10  and length(recipients.bcc) == 0
11  and (
12    sender.email.email == recipients.to[0].email.email
13    or recipients.to[0].email.domain.valid == false
14  )
15  // cred theft
16  and any(ml.nlu_classifier(body.current_thread.text).intents,
17          .name == "cred_theft" and .confidence != "low"
18  )
19  // microsoft compauth pass, but spf and dmarc fail
20  and any(headers.hops, any(.fields, strings.icontains(.value, 'compauth=pass')))
21  and not coalesce(headers.auth_summary.dmarc.pass, false)
22  and not coalesce(headers.auth_summary.spf.pass, false)  
23tags:
24  - "Attack surface reduction"
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Spoofing"
29  - "Evasion"
30detection_methods:
31  - "Natural Language Understanding"
32  - "Header analysis"
33  - "Sender analysis"
34id: "549c4e66-ec29-50f5-aff7-4a85fa7318da"