title: Email Spoofing (T1672)
id: df00tech-t1672
status: experimental
description: "This detection identifies email spoofing attempts where adversaries manipulate email headers — particularly the FROM, Reply-To, and Display Name fields — to impersonate legitimate senders. The detection focuses on emails that fail SPF, DKIM, or DMARC authentication checks, mismatches between the envelope sender (Return-Path/MailFrom) and the header From address, and abuse of Microsoft 365 Direct Send to bypass authentication. Spoofed emails are frequently used to enable phishing, business email compromise (BEC), and impersonation attacks against high-value targets such as executives, finance teams, and third-party vendors."
references:
  - https://attack.mitre.org/techniques/T1672/
  - https://df00tech.com/detections/T1672
author: df00tech
date: 2026/03/20
tags:
  - attack.t1672
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate bulk email services (Mailchimp, SendGrid, Constant Contact) that send on behalf of a domain without proper DKIM/SPF alignment — review if SenderMailFromDomain is a known ESP subdomain"
  - Internal applications or multifunction printers using Microsoft 365 Direct Send with a functional mailbox From address but no DKIM signing configured
  - "Third-party HR, legal, or CRM platforms authorized to send on behalf of the organization that have not completed DMARC alignment setup"
  - Partner or vendor organizations with legitimately weak email authentication posture — correlate with known vendor domains in an allowlist
  - "Email forwarding chains (e.g., alumni addresses forwarding to personal email) that can cause SPF failures due to the forwarding server's IP not being in the original SPF record"
level: high