Detect Email Spoofing in Splunk
This detection identifies email spoofing attempts where adversaries manipulate email headers — particularly the FROM, Reply-To, and Display Name fields — to impersonate legitimate senders. The detection focuses on emails that fail SPF, DKIM, or DMARC authentication checks, mismatches between the envelope sender (Return-Path/MailFrom) and the header From address, and abuse of Microsoft 365 Direct Send to bypass authentication. Spoofed emails are frequently used to enable phishing, business email compromise (BEC), and impersonation attacks against high-value targets such as executives, finance teams, and third-party vendors.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1672 Email Spoofing
- Canonical reference
- https://attack.mitre.org/techniques/T1672/
SPL Detection Query
index=o365 sourcetype="o365:management:activity" Workload=Exchange Operation="MessageDelivered" OR Operation="MessageReceived"
| eval sender_from = lower(coalesce('P2Sender', 'SenderAddress'))
| eval envelope_from = lower(coalesce('ReturnPath', 'P1Sender', 'MailFromAddress'))
| eval sender_from_domain = replace(sender_from, "^[^@]+@", "")
| eval envelope_from_domain = replace(envelope_from, "^[^@]+@", "")
| eval domain_mismatch = if(sender_from_domain != envelope_from_domain AND len(sender_from_domain) > 0 AND len(envelope_from_domain) > 0, "true", "false")
| eval spf_result = lower(coalesce('SPFResult', 'AuthenticationDetails.SPF', "unknown"))
| eval dkim_result = lower(coalesce('DKIMResult', 'AuthenticationDetails.DKIM', "unknown"))
| eval dmarc_result = lower(coalesce('DMARCResult', 'AuthenticationDetails.DMARC', "unknown"))
| eval auth_fail = if(
(spf_result IN ("fail", "softfail", "none") AND dkim_result IN ("fail", "none")) OR
dmarc_result IN ("fail", "none") OR
domain_mismatch = "true", 1, 0)
| where auth_fail = 1
| where DeliveryStatus != "FilteredAsSpam" AND DeliveryStatus != "Quarantined" AND DeliveryStatus != "Blocked"
| table _time, sender_from, envelope_from, sender_from_domain, envelope_from_domain, domain_mismatch, spf_result, dkim_result, dmarc_result, Recipients, Subject, NetworkMessageId, DeliveryStatus
| sort -_timeDetects spoofed emails ingested via Office 365 Management Activity API logs by identifying messages where SPF/DKIM/DMARC fail and/or the header From domain differs from the envelope sender domain. Focuses on delivered or received messages to identify spoofing that bypassed gateway controls.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized third-party email service providers (ESPs) sending marketing or transactional emails on behalf of the organization where SPF alignment is on the ESP subdomain rather than the corporate domain
- Legacy applications or scanners that use a display name From address associated with a user but send through a shared relay with a different envelope sender
- Email forwarding setups within O365 (e.g., shared mailbox delegation or distribution group forwarding) where rewriting alters envelope headers
- Cross-tenant sharing scenarios in federated Microsoft 365 environments where partner tenants appear as mismatched sender domains
- Automated workflow tools (Power Automate, Zapier) sending on behalf of users through connectors that do not preserve DKIM alignment
Other platforms for T1672
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Send Spoofed Email via Python SMTP to External Relay (No Auth)
Expected signal: Email delivery logs showing From header '[email protected]' with envelope sender '[email protected]' — triggering SenderFromDomain != SenderMailFromDomain mismatch. SPF will fail since [email protected] is not authorized to send for contoso.com.
- Test 2Validate DMARC Policy Weakness on Target Domain
Expected signal: DNS query logs (if captured via Sysmon Event 22 on Windows or auditd/bind logs on Linux) showing TXT record lookups for _dmarc and _domainkey subdomains. No email telemetry generated by this test step.
- Test 3Spoofed Email via SendGrid API with Mismatched From Header (Authorized Test)
Expected signal: Email delivery to test mailbox with From header showing [email protected] but Authentication-Results showing dkim=pass (SendGrid DKIM) and spf=pass (SendGrid IP) — but DMARC will fail due to domain alignment mismatch between contoso.com (From header domain) and sendgrid.net (DKIM/SPF domain). The SenderFromDomain vs SenderMailFromDomain mismatch will be logged in EmailEvents.
References (9)
- https://attack.mitre.org/techniques/T1672/
- https://www.proofpoint.com/us/blog/threat-insight/ta427-north-koreas-research-focused-social-engineering
- https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
- https://dmarc.org/overview/
- https://www.proofpoint.com/us/blog/email-and-cloud-threats/dmarc-protection
- https://www.ic3.gov/PSA/2024/PSA240626
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonlighting-in-your-mailroom-how-north-korea-exploits-direct-send
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence
- https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365
Unlock Pro Content
Get the full detection package for T1672 including response playbook, investigation guide, and atomic red team tests.