Adversaries may be attempting to bypass multi-factor authentication by spoofing email addresses to trigger composite authentication failures. SOC teams should proactively hunt for this behavior to identify potential phishing or credential compromise attempts in their Azure Sentinel environment.
KQL Query
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| extend CompAuthFail = AuthenticationDetails has_any ('CompAuth":"fail')
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
id: 9d5d0ba9-e1b3-4dbb-9beb-e0f4c7fb6524
name: CompAuth Failure Trend
description: |
This query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
description-detailed: |
This query visualises total emails with Spoof - Composite Authentication fails summarizing the data daily.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| extend CompAuthFail = AuthenticationDetails has_any ('CompAuth":"fail')
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled system backup job using Veeam Backup & Replication triggers a CompAuth failure due to temporary authentication credential rotation.
Filter/Exclusion: Exclude events where the source is veeam-backup or where the user agent contains Veeam Backup.
Scenario: Microsoft Exchange Online admin task (e.g., mailbox migration or mailbox move) causes a transient CompAuth failure due to credential refresh during the process.
Filter/Exclusion: Exclude events where the source is Microsoft.Exchange or where the user is a service account like MailboxMove.
Scenario: Microsoft Teams scheduled meeting reminder email triggers a CompAuth failure due to expired temporary credentials used for email delivery.
Filter/Exclusion: Exclude events where the subject line contains “Meeting Reminder” or where the sender is a Microsoft service account.
Scenario: PowerShell remoting job running as a service account (e.g., svc-powershell) fails CompAuth due to credential expiration during a scheduled maintenance window.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the user is a known service account.
Scenario: Azure DevOps pipeline execution triggers a CompAuth failure when using a service principal with expired credentials during a scheduled deployment.
Filter/Exclusion: Exclude events where the source is azure-devops or where the user is a service principal with a known deployment ID.