Skip to content

Create (ASR) headers_microsoft_auth_bypass.yml #3802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MSAdministrator wants to merge 4 commits into from
Closed

Create (ASR) headers_microsoft_auth_bypass.yml #3802

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ba7b18e
Create headers_microsoft_auth_bypass.yml
MSAdministrator Jan 17, 2026
237ae38
Auto-format MQL and add rule IDs
Jan 17, 2026
d859431
Update headers_microsoft_auth_bypass.yml
MSAdministrator Jan 17, 2026
4524758
Update headers_microsoft_auth_bypass.yml
MSAdministrator Feb 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions detection-rules/headers_microsoft_auth_bypass.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: "Headers: Microsoft 365 authentication bypass with suspicious error codes"
description: "Detects messages that failed DMARC or SPF authentication in Microsoft 365 with specific error codes indicating potential bypass attempts through on-premises Exchange environments or third-party services."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(headers.hops, .index == 1),
any(.fields,
.name == "Authentication-Results"
and (
regex.contains(.value, 'dmarc=(fail|none)\saction=none')
or regex.contains(.value,
'spf=(fail|softfail|temperror)\s\(sender\sIP\sis\s'
)
)
and (
// MX record points to on-premises Exchange environment or a third-party service before reaching Microsoft 365
strings.contains(.value, 'reason=905')
// Same but message delivered to spam folder
or strings.contains(.value, 'reason=451')
// tried to impersonate within same domain but failed authentication
or strings.contains(.value, "reason=601")
// or no reason given
or not strings.contains(.value, "reason=")
)
and not (
// exclude passes
regex.contains(.value, 'spf=(pass)\s\(sender\sIP\sis\s')
// ignore proper action type when dmarc fails
or regex.contains(.value, 'dmarc=fail\saction=oreject')
// excluding properly configured dmarc failures
// failed explicit email authentication
or strings.contains(.value, 'reason=000')
// failed implicit email authenticaton
or strings.contains(.value, 'reason=001')
)
)
)
tags:
- "Attack surface reduction"
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Spoofing"
detection_methods:
- "Header analysis"
id: "c1d38e49-d801-5ebe-9288-708bc400acab"
Loading