Adversaries may be spoofing legitimate email domains to evade detection by specific detection technologies, leveraging BEC tactics to bypass security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential spear-phishing campaigns that bypass traditional detection mechanisms.
KQL Query
EmailEvents
| where DetectionMethods has 'Spoof'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
id: 0d62d79a-38ef-43d5-a884-347024638250
name: Spoof Detections by Detection Technology
description: |
This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology
description-detailed: |
This query visualises total emails with Phish Business Email Compromise (BEC) Spoof detections by various Impersonation Detection technologies/controls in Microsoft Defender for Office 365.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where DetectionMethods has 'Spoof'
| project Timestamp, DT=parse_json(DetectionMethods)
| evaluate bag_unpack(DT)
| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
| sort by count_ desc
| render piechart
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Job Sending Test Emails
Description: A scheduled job (e.g., send-test-emails.sh or daily-report-emailer.py) sends emails to internal users for testing purposes, which may be flagged as spoofed due to the use of internal domains.
Filter/Exclusion: Exclude emails sent by known system jobs using the sender field or subject line containing keywords like “test”, “daily report”, or “system job”.
Scenario: Admin Task Using Internal SMTP Server
Description: An administrator uses an internal SMTP server (e.g., mail.example.com) to send emails to users for administrative tasks (e.g., password reset, account creation), which may be flagged as spoofed due to internal IP or domain.
Filter/Exclusion: Exclude emails originating from internal IP ranges or domains using the source_ip or from_domain fields.
Scenario: Phishing Simulation Tool Sending Emails
Description: A security team uses a phishing simulation tool like PhishMe or MockPhish to send emails to employees for training, which may be flagged as spoofed due to the use of internal domains or email addresses.
Filter/Exclusion: Exclude emails with a subject containing “phishing simulation” or “security training” or from a known simulation tool’s email address.
Scenario: Email Forwarding from Internal Admins
Description: An admin forwards emails from a user’s inbox to another internal user using a forwarding rule in Microsoft Exchange or Google Workspace, which may be flagged as spoofed due to the forwarding process.
Filter/Exclusion: Exclude emails where the forwarded_from field is present or where the email is part of a known forwarding rule.
Scenario: Email Notifications from Internal Monitoring Tools
Description: