SPF Failure Trend

Hunt Hypothesis

Adversaries may be spoofing email addresses by bypassing SPF validation to impersonate legitimate users or domains. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential compromise attempts early.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
EmailEvents
| extend DMARCFail = AuthenticationDetails has_any ('SPF":"fail') 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
| render timechart

Analytic Rule Definition

id: 1c76c9d2-a8f3-4a22-be48-0d3454326cca
name: SPF Failure Trend
description: |
  This query visualises total emails with Spoof - SPF fails summarizing the data daily.
description-detailed: |
  This query visualises total emails with Spoof - SPF fails summarizing the data daily.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  EmailEvents
  | extend DMARCFail = AuthenticationDetails has_any ('SPF":"fail') 
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
  | render timechart
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Authentication/SPF Failure Trend.yaml)

False Positive Guidance

• Scenario: Scheduled system backups using tools like Veeam or Commvault that send automated email notifications with spoofed sender addresses.
  Filter/Exclusion: Exclude emails sent from backup notification tools or IP ranges used by backup systems.

• Scenario: Microsoft Exchange Online automated tasks such as mailbox move requests or migration jobs that use spoofed email addresses for internal communication.
  Filter/Exclusion: Exclude emails originating from internal domains or IP ranges associated with Exchange services.

• Scenario: AWS SES (Simple Email Service) sends emails for automated notifications (e.g., EC2 instance status updates) using a spoofed “From” address configured in the email template.
  Filter/Exclusion: Exclude emails from known AWS SES IP ranges or emails with specific “From” headers used for automated notifications.

• Scenario: Jenkins CI/CD pipelines configured to send build status emails using a spoofed sender address for internal team communication.
  Filter/Exclusion: Exclude emails from Jenkins servers or with specific subject lines or headers indicating automated build status updates.

• Scenario: ServiceNow or Zendesk sends automated support tickets or alerts using a spoofed email address to mimic internal support teams.
  Filter/Exclusion: Exclude emails from known service desk platforms or with specific headers indicating they are system-generated alerts.