Adversaries may spoof display names to impersonate trusted entities and gain user trust, leveraging T1566 techniques to bypass email verification processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing attempts and prevent credential compromise.
KQL Query
let emailDelivered = EmailEvents
| where Timestamp < ago(24hrs)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occurred.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c
name: Display Name - Spoof and Impersonation
description: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name
description-detailed: |
This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let emailDelivered = EmailEvents
| where Timestamp < ago(24hrs)
and DeliveryAction == "Delivered"
and SenderDisplayName contains "Microsoft"
| summarize count() by SenderFromAddress
| where count_ > 3 // ensuring that some level of communications has occurred.
| project SenderFromAddress;
EmailEvents
| where Timestamp > ago(24hrs)
| where DeliveryAction == "Delivered"
and EmailDirection == "Inbound"
and OrgLevelAction != "Block"
and UserLevelAction != "Block"
and SenderDisplayName contains "Microsoft"
| extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true )
| project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
| join kind=leftanti ( emailDelivered ) on SenderFromAddress
| order by SenderMailFromAddress
| summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal User Renaming Their Display Name for Personal Branding
Description: A legitimate user may rename their display name to include their personal brand or professional title (e.g., “John Doe - CEO of XYZ Corp”) for personal branding or email signature purposes.
Filter/Exclusion: Exclude emails where the sender is a known internal user and the display name includes their real name or job title. Example: sender_email = "[email protected]" OR display_name LIKE "%John Doe - CEO%"
Scenario: Scheduled Job Sending Emails with Partner Branding
Description: A scheduled job (e.g., a script or automation tool like Power Automate, Python script, or AWS Lambda) may send emails to customers or partners with a display name that includes a partner company name for marketing or service updates.
Filter/Exclusion: Exclude emails sent by known automation tools or scheduled jobs. Example: source = "PowerAutomate" OR source = "AWSLambda" OR subject LIKE "%Service Update%"
Scenario: Admin Task for User Onboarding with Display Name Customization
Description: An admin may configure a user’s display name during onboarding to include their department or team name (e.g., “IT Support - John Doe”) for internal clarity.
Filter/Exclusion: Exclude emails where the sender is an admin or the display name includes a team/department name. Example: sender_email = "[email protected]" OR display_name LIKE "%IT Support - %"
Scenario: Email Signature with Company Branding
Description: Users may have email signatures that include company branding (e.g., “John Doe | Sales Manager | ABC Corp”) which can trigger the rule due to the presence of the company name in the display name.
Filter/Exclusion: Exclude emails where the display name