Adversaries may be spoofing external domains to impersonate legitimate senders and deliver phishing emails, leveraging T1566 techniques to bypass email security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing campaigns and mitigate user compromise risks.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
SpoofExternalCount = countif(DetectionMethods has_any ('Phish":["Spoof external domain"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend SpoofExternal_Traffic_Percentage = todouble(round(SpoofExternalCount / todouble(TotalEmailCount) * 100, 2))
| where SpoofExternalCount !=0
| sort by SpoofExternalCount desc
| project P1Sender,P2Sender,SpoofExternalCount,TotalEmailCount,SpoofExternal_Traffic_Percentage
| top 10 by SpoofExternalCount
id: 09e1ca5e-cc4c-4b89-b585-448cfc1a6579
name: Top Spoof external domain detections by Sender domain (P1/P2)
description: |
This query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
description-detailed: |
This query visualises total emails with Phish-Spoof-external domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain). Adding additional insights for total inbound emails and Spoof external domain detection traffic percentage for each sender domain.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
SpoofExternalCount = countif(DetectionMethods has_any ('Phish":["Spoof external domain"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend SpoofExternal_Traffic_Percentage = todouble(round(SpoofExternalCount / todouble(TotalEmailCount) * 100, 2))
| where SpoofExternalCount !=0
| sort by SpoofExternalCount desc
| project P1Sender,P2Sender,SpoofExternalCount,TotalEmailCount,SpoofExternal_Traffic_Percentage
| top 10 by SpoofExternalCount
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal users send emails using a legitimate external domain for internal collaboration (e.g., using @internal.company.com as the sender domain in a spoofed email for internal teams).
Filter/Exclusion: Exclude emails where the sender domain is listed in a known internal domain list (e.g., internal_domains.txt or via a SIEM lookup using internal_domains as a reference).
Scenario: Automated system-generated emails (e.g., from a ticketing system like Jira or ServiceNow) use a legitimate external domain as the sender to notify users.
Filter/Exclusion: Exclude emails with a specific header field like X-Spam-Status or X-Source-IP that identifies system-generated emails, or use a regex to match known system email patterns.
Scenario: Scheduled jobs or scripts (e.g., using cron, PowerShell, or Task Scheduler) send emails to notify administrators of system events, using a legitimate external domain as the sender.
Filter/Exclusion: Exclude emails where the sender IP is associated with a known internal or trusted external IP range (e.g., using a trusted_ips.txt list or a SIEM IP lookup).
Scenario: Email aliases or forwarding rules (e.g., using Microsoft Exchange or Gmail aliases) route emails through a legitimate external domain, creating a spoofed sender domain.
Filter/Exclusion: Exclude emails where the sender domain matches known alias domains or where the email is routed through a known internal mail relay (e.g., using a mail_relay_domains.txt list or a sender_ip_to_domain mapping).
Scenario: User-generated emails with a legitimate external domain in the From field for legitimate purposes (e.g., marketing emails from a third-party vendor using a valid domain).
Filter/Exclusion: Exclude emails where the sender domain is whit