T1672 Email Spoofing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection in ("Inbound", "IntraOrg")
| extend AuthDetails = tostring(AuthenticationDetails)
| extend SPFResult = extract(@"spf=([a-z]+)", 1, AuthDetails)
| extend DKIMResult = extract(@"dkim=([a-z]+)", 1, AuthDetails)
| extend DMARCResult = extract(@"dmarc=([a-z]+)", 1, AuthDetails)
| where (SPFResult in ("fail", "softfail", "none") and DKIMResult in ("fail", "none") and DMARCResult in ("fail", "none", "bestguesspass"))
    or (SenderFromDomain != SenderMailFromDomain and isnotempty(SenderFromDomain) and isnotempty(SenderMailFromDomain))
| extend HeaderFromDomain = tolower(SenderFromDomain)
| extend EnvelopeFromDomain = tolower(SenderMailFromDomain)
| extend DomainMismatch = iff(HeaderFromDomain != EnvelopeFromDomain, true, false)
| extend AuthFailCount = (iff(SPFResult in ("fail", "softfail"), 1, 0) + iff(DKIMResult == "fail", 1, 0) + iff(DMARCResult == "fail", 1, 0))
| where DeliveryAction != "Blocked"
| project
    Timestamp,
    NetworkMessageId,
    SenderFromAddress,
    SenderMailFromAddress,
    SenderFromDomain,
    SenderMailFromDomain,
    RecipientEmailAddress,
    Subject,
    SPFResult,
    DKIMResult,
    DMARCResult,
    DomainMismatch,
    AuthFailCount,
    DeliveryAction,
    DeliveryLocation,
    ThreatTypes,
    ConfidenceLevel
| order by Timestamp desc

high severity medium confidence

Data Sources

Microsoft Defender for Office 365 Microsoft Sentinel

Required Tables

EmailEvents

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup
Partner or vendor organizations with legitimately weak email authentication posture — correlate with known vendor domains in an allowlist
Email forwarding chains (e.g., alumni addresses forwarding to personal email) that can cause SPF failures due to the forwarding server's IP not being in the original SPF record

Splunk

spl

index=o365 sourcetype="o365:management:activity" Workload=Exchange Operation="MessageDelivered" OR Operation="MessageReceived"
| eval sender_from = lower(coalesce('P2Sender', 'SenderAddress'))
| eval envelope_from = lower(coalesce('ReturnPath', 'P1Sender', 'MailFromAddress'))
| eval sender_from_domain = replace(sender_from, "^[^@]+@", "")
| eval envelope_from_domain = replace(envelope_from, "^[^@]+@", "")
| eval domain_mismatch = if(sender_from_domain != envelope_from_domain AND len(sender_from_domain) > 0 AND len(envelope_from_domain) > 0, "true", "false")
| eval spf_result = lower(coalesce('SPFResult', 'AuthenticationDetails.SPF', "unknown"))
| eval dkim_result = lower(coalesce('DKIMResult', 'AuthenticationDetails.DKIM', "unknown"))
| eval dmarc_result = lower(coalesce('DMARCResult', 'AuthenticationDetails.DMARC', "unknown"))
| eval auth_fail = if(
    (spf_result IN ("fail", "softfail", "none") AND dkim_result IN ("fail", "none")) OR
    dmarc_result IN ("fail", "none") OR
    domain_mismatch = "true", 1, 0)
| where auth_fail = 1
| where DeliveryStatus != "FilteredAsSpam" AND DeliveryStatus != "Quarantined" AND DeliveryStatus != "Blocked"
| table _time, sender_from, envelope_from, sender_from_domain, envelope_from_domain, domain_mismatch, spf_result, dkim_result, dmarc_result, Recipients, Subject, NetworkMessageId, DeliveryStatus
| sort -_time

high severity medium confidence

Data Sources

Office 365 Management Activity API Splunk Add-on for Microsoft Office 365

Required Sourcetypes

o365:management:activity

False Positives

Authorized third-party email service providers (ESPs) sending marketing or transactional emails on behalf of the organization where SPF alignment is on the ESP subdomain rather than the corporate domain
Legacy applications or scanners that use a display name From address associated with a user but send through a shared relay with a different envelope sender
Email forwarding setups within O365 (e.g., shared mailbox delegation or distribution group forwarding) where rewriting alters envelope headers
Cross-tenant sharing scenarios in federated Microsoft 365 environments where partner tenants appear as mismatched sender domains
Automated workflow tools (Power Automate, Zapier) sending on behalf of users through connectors that do not preserve DKIM alignment

Elastic Security (EQL)

eql

any where event.dataset : "o365.*" and event.action in (
  "Receive", "MessageDelivered", "New-InboxRule", "Set-InboxRule"
) and (
  o365.audit.Authentication_Details : ("spf=fail*", "dkim=fail*", "dmarc=fail*") or
  o365.audit.Operation : ("New-InboxRule", "UpdateInboxRules")
)

high severity medium confidence

Data Sources

Microsoft 365 Elastic O365 Integration

Required Tables

logs-o365.audit-* logs-email.*

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS SenderAddress,
    "RecipientAddress" AS RecipientAddress,
    "Subject" AS EmailSubject,
    CASE
        WHEN "SPFResult" = 'fail' AND "DKIMResult" = 'fail' THEN 90
        WHEN "DMARCResult" = 'fail' THEN 80
        WHEN "SPFResult" ILIKE '%fail%' THEN 65
        ELSE 50
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Exchange', 'Office 365')
    AND ("SPFResult" ILIKE '%fail%'
        OR "DKIMResult" ILIKE '%fail%'
        OR "DMARCResult" ILIKE '%fail%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup

Sumo Logic CSE

sql

_sourceCategory=o365/management
| json auto
| where operation in ("Receive","MessageDelivered","New-InboxRule","Set-InboxRule","UpdateInboxRules")
| where spf_result matches /(fail|softfail)/i OR dkim_result = "fail" OR dmarc_result = "fail"
    OR operation matches /InboxRule/i
| if(spf_result = "fail" AND dkim_result = "fail", 90,
    if(dmarc_result = "fail", 80,
    if(operation matches /InboxRule/i, 85, 65))) as risk_score
| if(operation matches /InboxRule/i, "MailboxRule",
    if(dmarc_result = "fail", "DMARCFail", "AuthFailure")) as detection_type
| where risk_score >= 65
| count by sender_address, recipient_address, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=o365/management OR _sourceCategory=microsoft/exchange

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup

Google Chronicle / SecOps

yaral

rule detection_t1672 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Email Spoofing email activity - T1672"
    severity = "HIGH"
    mitre_attack = "T1672"
    reference = "https://attack.mitre.org/techniques/T1672/"

  events:
    $e.metadata.event_type = "EMAIL_TRANSACTION"
    $e.principal.user.email_addresses = $sender
    $e.network.email.to = $recipient
    $e.network.email.subject = $subject
    (
      re.regex($e.network.email.subject, `(?i)(urgent|wire.?transfer|payment|invoice|final.?notice)`) or
      $e.security_result.action = "BLOCK"
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Microsoft 365 Google Workspace

Required Tables

EMAIL_TRANSACTION

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "EmailActivityEvent"
| EmailDirection = "Inbound"
| SPFResult = /(?i)(fail|softfail)/ OR DKIMResult = "fail" OR DMARCResult = "fail"
    OR Subject = /(?i)(urgent|wire.?transfer|payment|invoice|final.?notice)/
| case {
    SPFResult = "fail" AND DKIMResult = "fail" | RiskScore := "High" ;
    DMARCResult = "fail" | RiskScore := "High" ;
    Subject = /(?i)(wire.?transfer|payment)/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([SenderFromAddress, RecipientEmailAddress, Subject, SPFResult, DKIMResult, DMARCResult, RiskScore, DeliveryAction])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Email Protection

Required Tables

EmailActivityEvent

False Positives

Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup

Email Spoofing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections