Headers: Self-sender using Microsoft CompAuth bypass with credential theft content

calendar Apr 21, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages sent to self or invalid domains containing credential theft content that bypass Microsoft's CompAuth while failing both SPF and DMARC authentication checks.

Sublime rule (View on GitHub)

 1name: "Headers: Self-sender using Microsoft CompAuth bypass with credential theft content"
 2description: "Detects messages sent to self or invalid domains containing credential theft content that bypass Microsoft's CompAuth while failing both SPF and DMARC authentication checks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // self sender
 8  and length(recipients.to) == 1
 9  and length(recipients.cc) == 0
10  and length(recipients.bcc) == 0
11  and (
12    sender.email.email == recipients.to[0].email.email
13    or recipients.to[0].email.domain.valid == false
14  )
15  // cred theft
16  and any(ml.nlu_classifier(body.current_thread.text).intents,
17          .name == "cred_theft" and .confidence != "low"
18  )
19  // microsoft compauth pass, but spf and dmarc fail
20  and any(headers.hops, any(.fields, strings.icontains(.value, 'compauth=pass')))
21  and not headers.auth_summary.dmarc.pass
22  and not headers.auth_summary.spf.pass  
23tags:
24  - "Attack surface reduction"
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Spoofing"
29  - "Evasion"
30detection_methods:
31  - "Natural Language Understanding"
32  - "Header analysis"
33  - "Sender analysis"
34id: "549c4e66-ec29-50f5-aff7-4a85fa7318da"

Related rules

to-top