Detect Email Spoofing in IBM QRadar
This detection identifies email spoofing attempts where adversaries manipulate email headers — particularly the FROM, Reply-To, and Display Name fields — to impersonate legitimate senders. The detection focuses on emails that fail SPF, DKIM, or DMARC authentication checks, mismatches between the envelope sender (Return-Path/MailFrom) and the header From address, and abuse of Microsoft 365 Direct Send to bypass authentication. Spoofed emails are frequently used to enable phishing, business email compromise (BEC), and impersonation attacks against high-value targets such as executives, finance teams, and third-party vendors.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1672 Email Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1672/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
"username" AS SenderAddress,
"RecipientAddress" AS RecipientAddress,
"Subject" AS EmailSubject,
CASE
WHEN "SPFResult" = 'fail' AND "DKIMResult" = 'fail' THEN 90
WHEN "DMARCResult" = 'fail' THEN 80
WHEN "SPFResult" ILIKE '%fail%' THEN 65
ELSE 50
END AS RiskScore
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Exchange', 'Office 365')
AND ("SPFResult" ILIKE '%fail%'
OR "DKIMResult" ILIKE '%fail%'
OR "DMARCResult" ILIKE '%fail%')
AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 1 HOURSIBM QRadar AQL detection for Email Spoofing (T1672). Queries QRadar event pipeline for indicators consistent with email spoofing adversary techniques using MITRE ATT&CK-aligned event categorization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
- Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
- Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup
Other platforms for T1672
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Spoofed Email via Python SMTP to External Relay (No Auth)
Expected signal: Email delivery logs showing From header '[email protected]' with envelope sender '[email protected]' — triggering SenderFromDomain != SenderMailFromDomain mismatch. SPF will fail since [email protected] is not authorized to send for contoso.com.
- Test 2Validate DMARC Policy Weakness on Target Domain
Expected signal: DNS query logs (if captured via Sysmon Event 22 on Windows or auditd/bind logs on Linux) showing TXT record lookups for _dmarc and _domainkey subdomains. No email telemetry generated by this test step.
- Test 3Spoofed Email via SendGrid API with Mismatched From Header (Authorized Test)
Expected signal: Email delivery to test mailbox with From header showing [email protected] but Authentication-Results showing dkim=pass (SendGrid DKIM) and spf=pass (SendGrid IP) — but DMARC will fail due to domain alignment mismatch between contoso.com (From header domain) and sendgrid.net (DKIM/SPF domain). The SenderFromDomain vs SenderMailFromDomain mismatch will be logged in EmailEvents.
References (9)
- https://attack.mitre.org/techniques/T1672/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-north-koreas-research-focused-social-engineering
- https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
- https://dmarc.org/overview/
- https://www.proofpoint.com/us/blog/email-and-cloud-threats/dmarc-protection
- https://www.ic3.gov/PSA/2024/PSA240626
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonlighting-in-your-mailroom-how-north-korea-exploits-direct-send
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence
- https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365
Unlock Pro Content
Get the full detection package for T1672 including response playbook, investigation guide, and atomic red team tests.