Detect Email Spoofing in Microsoft Sentinel
This detection identifies email spoofing attempts where adversaries manipulate email headers — particularly the FROM, Reply-To, and Display Name fields — to impersonate legitimate senders. The detection focuses on emails that fail SPF, DKIM, or DMARC authentication checks, mismatches between the envelope sender (Return-Path/MailFrom) and the header From address, and abuse of Microsoft 365 Direct Send to bypass authentication. Spoofed emails are frequently used to enable phishing, business email compromise (BEC), and impersonation attacks against high-value targets such as executives, finance teams, and third-party vendors.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1672 Email Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1672/
KQL Detection Query
EmailEvents
| where Timestamp > ago(1h)
| where EmailDirection in ("Inbound", "IntraOrg")
| extend AuthDetails = tostring(AuthenticationDetails)
| extend SPFResult = extract(@"spf=([a-z]+)", 1, AuthDetails)
| extend DKIMResult = extract(@"dkim=([a-z]+)", 1, AuthDetails)
| extend DMARCResult = extract(@"dmarc=([a-z]+)", 1, AuthDetails)
| where (SPFResult in ("fail", "softfail", "none") and DKIMResult in ("fail", "none") and DMARCResult in ("fail", "none", "bestguesspass"))
or (SenderFromDomain != SenderMailFromDomain and isnotempty(SenderFromDomain) and isnotempty(SenderMailFromDomain))
| extend HeaderFromDomain = tolower(SenderFromDomain)
| extend EnvelopeFromDomain = tolower(SenderMailFromDomain)
| extend DomainMismatch = iff(HeaderFromDomain != EnvelopeFromDomain, true, false)
| extend AuthFailCount = (iff(SPFResult in ("fail", "softfail"), 1, 0) + iff(DKIMResult == "fail", 1, 0) + iff(DMARCResult == "fail", 1, 0))
| where DeliveryAction != "Blocked"
| project
Timestamp,
NetworkMessageId,
SenderFromAddress,
SenderMailFromAddress,
SenderFromDomain,
SenderMailFromDomain,
RecipientEmailAddress,
Subject,
SPFResult,
DKIMResult,
DMARCResult,
DomainMismatch,
AuthFailCount,
DeliveryAction,
DeliveryLocation,
ThreatTypes,
ConfidenceLevel
| order by Timestamp descDetects inbound and intra-org emails that fail SPF, DKIM, and DMARC authentication checks and/or exhibit a mismatch between the header From domain and the envelope sender (MailFrom/Return-Path) domain — the two primary indicators of email spoofing. Results are filtered to emails that were not blocked at the gateway, meaning they reached or could reach recipient inboxes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain
- Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
- Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup
- Partner or vendor organizations with legitimately weak email authentication posture — correlate with known vendor domains in an allowlist
- Email forwarding chains (e.g., alumni addresses forwarding to personal email) that can cause SPF failures due to the forwarding server's IP not being in the original SPF record
Other platforms for T1672
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Spoofed Email via Python SMTP to External Relay (No Auth)
Expected signal: Email delivery logs showing From header '[email protected]' with envelope sender '[email protected]' — triggering SenderFromDomain != SenderMailFromDomain mismatch. SPF will fail since [email protected] is not authorized to send for contoso.com.
- Test 2Validate DMARC Policy Weakness on Target Domain
Expected signal: DNS query logs (if captured via Sysmon Event 22 on Windows or auditd/bind logs on Linux) showing TXT record lookups for _dmarc and _domainkey subdomains. No email telemetry generated by this test step.
- Test 3Spoofed Email via SendGrid API with Mismatched From Header (Authorized Test)
Expected signal: Email delivery to test mailbox with From header showing [email protected] but Authentication-Results showing dkim=pass (SendGrid DKIM) and spf=pass (SendGrid IP) — but DMARC will fail due to domain alignment mismatch between contoso.com (From header domain) and sendgrid.net (DKIM/SPF domain). The SenderFromDomain vs SenderMailFromDomain mismatch will be logged in EmailEvents.
References (9)
- https://attack.mitre.org/techniques/T1672/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-north-koreas-research-focused-social-engineering
- https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
- https://dmarc.org/overview/
- https://www.proofpoint.com/us/blog/email-and-cloud-threats/dmarc-protection
- https://www.ic3.gov/PSA/2024/PSA240626
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonlighting-in-your-mailroom-how-north-korea-exploits-direct-send
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence
- https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365
Unlock Pro Content
Get the full detection package for T1672 including response playbook, investigation guide, and atomic red team tests.