Query Details

MDO Hunting - Email Auth Failures (SPF/DKIM/DMARC Spoofing)

MDO 07 Email Auth Failures Spoofing

Query

EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| extend Auth = parse_json(AuthenticationDetails)
| extend SPF = tostring(Auth.SPF), DKIM = tostring(Auth.DKIM),
         DMARC = tostring(Auth.DMARC), CompAuth = tostring(Auth.CompAuth)
| where DMARC == "fail" or (SPF == "fail" and DKIM == "fail")
| summarize Messages = count(),
            Recipients = dcount(RecipientEmailAddress),
            Delivered = countif(DeliveryAction == "Delivered")
    by SenderFromDomain, SPF, DKIM, DMARC, CompAuth
| where Delivered > 0
| sort by Messages desc

Explanation

This query is designed to detect email spoofing attempts by analyzing inbound email authentication results. It focuses on identifying emails that have failed DMARC (Domain-based Message Authentication, Reporting & Conformance) checks, which are strong indicators of domain spoofing or Business Email Compromise (BEC).

Here's a simple breakdown of what the query does:

  1. Data Source: It uses email event data from Microsoft Threat Protection.

  2. Time Frame: It looks at emails received in the last 7 days.

  3. Email Direction: It filters for inbound emails only.

  4. Authentication Details: It extracts and checks the results of email authentication methods: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC.

  5. Failure Detection: It identifies emails where DMARC failed, or both SPF and DKIM failed.

  6. Summarization: It counts the number of such messages, the distinct number of recipients, and how many of these emails were actually delivered to inboxes.

  7. Focus on Delivered Emails: It specifically highlights cases where spoofed emails were delivered, suggesting a need for stronger anti-spoofing measures.

  8. Sorting: It sorts the results by the number of messages, prioritizing domains with the most spoofing attempts.

Overall, this query helps organizations identify and respond to potential email spoofing threats by highlighting cases where spoofed emails have bypassed existing security measures and reached user mailboxes.

Details

David Alonso profile picture

David Alonso

Released: July 17, 2026

Tables

EmailEvents

Keywords

EmailEventsAuthenticationDetailsSenderFromDomainRecipientEmailAddressDeliveryAction

Operators

EmailEventswhereTimestampagoEmailDirectionextendparse_jsontostringsummarizecountdcountcountifbysortdesc

Tactics

InitialAccessPersistence

MITRE Techniques

Actions

GitHub