High Severity

Headers: Self-sender using Microsoft CompAuth bypass with credential theft content

Labels

Credential Phishing
Spoofing
Evasion
Natural Language Understanding
Header analysis
Sender analysis

Description

Detects messages sent to self or invalid domains containing credential theft content that bypass Microsoft's CompAuth while failing both SPF and DMARC authentication checks.

References

No references.

Sublime Security
Created Apr 21st, 2026 • Last updated Apr 21st, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// self sender
and length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
and (
  sender.email.email == recipients.to[0].email.email
  or recipients.to[0].email.domain.valid == false
)
// cred theft
and any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence != "low"
)
// microsoft compauth pass, but spf and dmarc fail
and any(headers.hops, any(.fields, strings.icontains(.value, 'compauth=pass')))
and not headers.auth_summary.dmarc.pass
and not headers.auth_summary.spf.pass
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started