Skip to content

[Bug]: False Positive mcas.ms #131

New issue
New issue
Open
Open
[Bug]: False Positive mcas.ms#131
Labels
bugSomething isn't workingnot-assigned
@john-murrayMA

Description

@john-murrayMA
john-murrayMA
opened on Mar 3, 2026

Required confirmations before submitting

  • I can reproduce this issue on the latest released version of Check.
  • I have searched existing issues (both open and closed) to avoid duplicates.
  • I am not requesting general support; this is an actual bug report.

Issue Description

We are reporting a false positive where the Check extension blocks legitimate Microsoft resources that are proxied through Microsoft Defender for Cloud Apps (MCAS) Conditional Access redirect domains (*.mcas.ms).
Affected Domain: mcas.ms (all subdomains, including *.cloud.microsoft.mcas.ms)
Example Blocked URL:
https://teams.cloud.microsoft.mcas.ms/?ring=ring3_6&loginHint=...
Indicators Triggered:

phi_010_aad_fingerprint
phi_013_form_action_mismatch
phi_001_enhanced

Legitimacy Score: 228.25 (Threshold: 85)

Root Cause:
When Conditional Access policies are applied, Microsoft routes traffic through MCAS proxy domains. The extension sees legitimate Microsoft AAD login elements on a domain it doesn't recognize as Microsoft-owned, triggering multiple phishing indicators simultaneously.
mcas.ms is owned and operated exclusively by Microsoft. Subdomain registration under .mcas.ms is not possible by third parties, making spoofing via this domain impossible.

Our Workaround (Resolved):
Because the extension evaluates domains independently across multiple rule sections, we had to add the pattern ^https://.*.mcas.ms$ to 7 separate locations in our custom detection rules file to fully suppress the false positives:

trusted_login_patterns
microsoft_domain_patterns
exclusion_system.domain_patterns
legitimate_patterns — CSP domains (leg_005)
legitimate_patterns — Referrer patterns (leg_006)
legitimate_patterns — Dedicated MCAS trust entry (leg_007)
Iframe detection rules (phi_022, phi_024) — negative lookbehind added for .mcas.ms

The pattern itself is simple: ^https://.*.mcas.ms$ — this covers all known MCAS subdomain variations including teams.mcas.ms, outlook.office.com.mcas.ms, and teams.cloud.microsoft.mcas.ms, and will handle any future variations Microsoft introduces.

Suggested Global Fix:
Rather than requiring end users to patch 7 locations in a custom rules file, we'd suggest mcas.ms be added as a natively trusted Microsoft domain within the extension's core detection logic. This would treat it consistently alongside other first-class Microsoft domains (microsoft.com, microsoftonline.com, etc.) and eliminate the need for any per-organisation workaround.

Extension Version

1.1.0

Rules Version

1.1.0

Relevant Logs / Stack Trace

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingnot-assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions