Detect SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760) in Microsoft Sentinel
Detects exploitation of CVE-2026-23760, an authentication bypass vulnerability (CWE-288) in SmarterTools SmarterMail. Attackers can access protected functionality through an alternate path or channel without valid credentials, potentially leading to unauthorized mailbox access, data exfiltration, or lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Credential Access
KQL Detection Query
union isfuzzy=true
(
W3CIISLog
| where csUriStem has_any ("/api/", "/autodiscover/", "/ews/", "/mapi/", "/interface/", "/webmail/")
| where csMethod in ("POST", "GET", "PUT")
| where scStatus in (200, 201, 302) and (csUriQuery has_any ("bypass", "token=", "auth=", "session=") or csUriStem has_any ("/admin", "/config", "/settings"))
| where csUserAgent !has "Mozilla" or csUriStem has "/api/v1/"
| extend TargetResource = strcat(csUriStem, "?", csUriQuery)
| project TimeGenerated, cIP, csUriStem, csUriQuery, csMethod, scStatus, csUserAgent, TargetResource, _ResourceId
),
(
DeviceNetworkEvents
| where RemotePort in (25, 110, 143, 443, 587, 993, 995, 8080, 8443)
| where InitiatingProcessFileName has_any ("SmarterMail", "MailService", "smtpd")
| where ActionType == "InboundConnectionAccepted"
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| summarize RequestCount=count(), DistinctURIs=dcount(csUriStem), DistinctPorts=dcount(RemotePort) by bin(TimeGenerated, 5m), cIP, DeviceName
| where RequestCount > 10 or DistinctURIs > 5Detects suspicious HTTP requests to SmarterMail endpoints indicative of authentication bypass attempts, including access to admin/config paths without standard browser user-agents, anomalous query parameters, and high-frequency access patterns from single IPs.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate automated mail clients or monitoring tools polling SmarterMail APIs at high frequency
- Internal IT administrators accessing admin panels via scripts or non-browser HTTP clients
- Load balancers or health-check probes generating repeated requests to SmarterMail endpoints
- Legitimate third-party integrations using API tokens that appear in query strings
Other platforms for CVE-2026-23760
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Probe SmarterMail Admin API Without Credentials
Expected signal: IIS access log entry showing GET /api/v1/settings/sysadmin/general with HTTP 200 or 302, source IP of test host, user-agent 'python-requests/2.28'
- Test 2Enumerate SmarterMail User Accounts via Bypass Path
Expected signal: IIS logs showing sequential requests to /api/v1/accounts, /autodiscover/autodiscover.xml, /ews/exchange.asmx with non-standard user-agent from a single IP within seconds
- Test 3SmarterMail Authentication Bypass via Token Parameter Injection
Expected signal: Windows Event Log network connection events and IIS access log entries showing GET requests with 'token=', 'auth=', 'session=' query parameters, HTTP responses 200/302/401, user-agent 'TestClient/1.0'
Unlock Pro Content
Get the full detection package for CVE-2026-23760 including response playbook, investigation guide, and atomic red team tests.