Detect SmarterMail Authentication Bypass via Alternate Path or Channel (CVE-2026-23760) in Splunk
Detects exploitation of CVE-2026-23760, an authentication bypass vulnerability (CWE-288) in SmarterTools SmarterMail. Attackers can access protected functionality through an alternate path or channel without valid credentials, potentially leading to unauthorized mailbox access, data exfiltration, or lateral movement. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Initial Access Credential Access
SPL Detection Query
index=iis OR index=web sourcetype=iis OR sourcetype=ms:iis:auto
| eval uri_combined = uri_path . "?" . uri_query
| where (uri_path IN ("/api/", "/autodiscover/", "/ews/", "/mapi/", "/webmail/") OR match(uri_path, "(?i)(admin|config|settings|interface)"))
AND http_method IN ("POST", "GET", "PUT")
AND status IN ("200", "201", "302")
| eval suspicious_params = if(match(uri_query, "(?i)(bypass|token=|auth=|session=)"), 1, 0)
| eval suspicious_agent = if(NOT match(user_agent, "(?i)mozilla") AND match(uri_path, "/api/"), 1, 0)
| where suspicious_params=1 OR suspicious_agent=1
| bucket _time span=5m
| stats count AS request_count, dc(uri_path) AS distinct_uris, values(uri_path) AS accessed_paths, values(status) AS response_codes BY _time, src_ip, host
| where request_count > 10 OR distinct_uris > 5
| eval risk_score = case(
request_count > 50, "critical",
request_count > 20, "high",
distinct_uris > 8, "high",
true(), "medium"
)
| table _time, src_ip, host, request_count, distinct_uris, accessed_paths, response_codes, risk_score
| sort - request_countDetects potential SmarterMail authentication bypass by identifying anomalous HTTP request patterns to protected endpoints, suspicious query parameters, and non-browser clients accessing API paths.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated monitoring or backup tools that poll SmarterMail endpoints without browser user-agents
- Legitimate API integrations using session tokens in query strings
- Security scanners or vulnerability assessment tools run by authorized personnel
- High-volume email clients accessing EWS or MAPI endpoints at elevated rates
Other platforms for CVE-2026-23760
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Probe SmarterMail Admin API Without Credentials
Expected signal: IIS access log entry showing GET /api/v1/settings/sysadmin/general with HTTP 200 or 302, source IP of test host, user-agent 'python-requests/2.28'
- Test 2Enumerate SmarterMail User Accounts via Bypass Path
Expected signal: IIS logs showing sequential requests to /api/v1/accounts, /autodiscover/autodiscover.xml, /ews/exchange.asmx with non-standard user-agent from a single IP within seconds
- Test 3SmarterMail Authentication Bypass via Token Parameter Injection
Expected signal: Windows Event Log network connection events and IIS access log entries showing GET requests with 'token=', 'auth=', 'session=' query parameters, HTTP responses 200/302/401, user-agent 'TestClient/1.0'
Unlock Pro Content
Get the full detection package for CVE-2026-23760 including response playbook, investigation guide, and atomic red team tests.