CVE-2026-23760 Google Chronicle · YARA-L

Detect SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760) in Google Chronicle

Detects exploitation of CVE-2026-23760, an authentication bypass vulnerability (CWE-288) in SmarterTools SmarterMail. Attackers can access protected functionality through an alternate path or channel without valid credentials, potentially leading to unauthorized mailbox access, data exfiltration, or lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Initial Access Credential Access

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule smartermail_auth_bypass_cve_2026_23760 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects SmarterMail authentication bypass attempts via alternate path/channel (CVE-2026-23760)"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-23760"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1190"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    $req.principal.ip = $src_ip
    (
      re.regex($req.target.url, `(?i)/api/|/autodiscover/|/ews/|/mapi/|/webmail/|/admin|/config`) or
      re.regex($req.target.url, `(?i)bypass|token=|auth=|session=`)
    )
    $req.network.http.method in ["POST", "GET", "PUT"]
    $req.network.http.response_code in [200, 201, 302]
    not re.regex($req.network.http.user_agent, `(?i)mozilla`) and
      re.regex($req.target.url, `(?i)/api/`)

  match:
    $src_ip over 5m

  condition:
    #req > 10
}
critical severity medium confidence

Chronicle YARA-L rule to detect repeated suspicious HTTP requests to SmarterMail endpoints consistent with CVE-2026-23760 authentication bypass exploitation patterns.

Data Sources

Chronicle UDM HTTP EventsWeb Proxy Logs

Required Tables

network_http

False Positives & Tuning

  • Legitimate automation using non-Mozilla HTTP clients against SmarterMail APIs
  • Internal monitoring tools generating high request volumes to mail service endpoints
  • Mail migration tools accessing EWS or MAPI endpoints at elevated rates

Other platforms for CVE-2026-23760

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Probe SmarterMail Admin API Without Credentials

    Expected signal: IIS access log entry showing GET /api/v1/settings/sysadmin/general with HTTP 200 or 302, source IP of test host, user-agent 'python-requests/2.28'

  2. Test 2Enumerate SmarterMail User Accounts via Bypass Path

    Expected signal: IIS logs showing sequential requests to /api/v1/accounts, /autodiscover/autodiscover.xml, /ews/exchange.asmx with non-standard user-agent from a single IP within seconds

  3. Test 3SmarterMail Authentication Bypass via Token Parameter Injection

    Expected signal: Windows Event Log network connection events and IIS access log entries showing GET requests with 'token=', 'auth=', 'session=' query parameters, HTTP responses 200/302/401, user-agent 'TestClient/1.0'

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-23760 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1114Email Collection

Same Tactic: Initial Access

Popular Detections