Adversaries may be using spoofed email addresses to impersonate trusted entities and deliver phishing emails, leveraging Azure Sentinel to bypass traditional email security measures. SOC teams should proactively hunt for this behavior to identify and mitigate potential credential theft and lateral movement attempts.
KQL Query
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
| evaluate bag_unpack(DT)
| summarize count() by tostring(Phish)
id: 011c3d48-f6ca-405f-9763-66c7856ad2ba
name: Spoof and impersonation phish detections
description: |
This query helps reviewing count of phish detections done by spoof detection methods
description-detailed: |
This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
|where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation")
| project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress
| evaluate bag_unpack(DT)
| summarize count() by tostring(Phish)
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal users sending emails using their own email addresses but with spoofed headers (e.g., using a tool like Sendmail or Postfix with misconfigured headers).
Filter/Exclusion: Exclude emails originating from internal IP ranges or users with verified internal email domains.
Scenario: Scheduled system maintenance jobs (e.g., cron jobs or Task Scheduler tasks) sending automated alerts or status reports to internal teams with spoofed sender names.
Filter/Exclusion: Exclude emails sent by known system accounts or from specific job IDs or command-line tools.
Scenario: Admins using tools like PowerShell or Python scripts to send test emails for troubleshooting purposes, which may include spoofed “From” fields.
Filter/Exclusion: Exclude emails sent from known admin scripts or with specific subject lines or headers indicating test emails.
Scenario: Users leveraging email clients like Microsoft Outlook or Thunderbird with misconfigured SMTP settings, resulting in emails being sent with spoofed headers.
Filter/Exclusion: Exclude emails sent from known user devices or with specific client configurations or authentication methods.
Scenario: Email archiving or compliance tools (e.g., Microsoft Exchange Online Archiving, Sparrow, or Mimecast) forwarding emails to internal review teams, which may include spoofed headers during the process.
Filter/Exclusion: Exclude emails tagged with specific compliance headers or originating from known archiving tools.