Skip to content

Create headers_microsoft_auth_bypass.yml #3802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MSAdministrator wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Create headers_microsoft_auth_bypass.yml #3802

MSAdministrator wants to merge 3 commits into from

Conversation

@MSAdministrator
Copy link
Member

@MSAdministrator MSAdministrator commented Jan 17, 2026

Description

During a runner request, I was able to identify based on this blog and further hunting several ways to detect improperly configured SPF & Dmarc setups allowing auth failures to bypass traditional security checks.

This is mostly related to organizations not properly configuring their records.

Associated samples

  • See escalation and hunt

Associated hunts

@MSAdministrator MSAdministrator self-assigned this Jan 17, 2026
@MSAdministrator MSAdministrator added the in-test-rules PR is in our testing suite to collect telemetry label Jan 17, 2026
@MSAdministrator MSAdministrator requested a review from a team as a code owner January 17, 2026 04:59
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 17, 2026
@github-actions
[PR sublime-security#3802] added rule: PR# 3802 - Headers: Microsoft …
600a030 
…365 authentication bypass with suspicious error codes
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 17, 2026
@github-actions
[PR sublime-security#3802] added rule: Headers: Microsoft 365 authent…
532be6f 
…ication bypass with suspicious error codes
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 17, 2026
@github-actions
[PR sublime-security#3802] modified rule: PR# 3802 - Headers: Microso…
7b4acb2 
…ft 365 authentication bypass with suspicious error codes
github-actions bot added a commit to aidenmitchell/sublime-rules that referenced this pull request Jan 17, 2026
@github-actions
[PR sublime-security#3802] modified rule: Headers: Microsoft 365 auth…
785abd3 
…entication bypass with suspicious error codes
github-actions bot added a commit that referenced this pull request Jan 20, 2026
@github-actions
[PR #3802] added rule: Headers: Microsoft 365 authentication bypass w…
73b01ba 
…ith suspicious error codes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@MSAdministrator MSAdministrator

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MSAdministrator