Spoof attempts with auth failure

Hunt Hypothesis

Adversaries may be attempting to spoof user identities on the domain through failed authentication attempts to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential stuffing or account takeover efforts early.

KQL Query

EmailEvents 
| where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
| evaluate bag_unpack(AR)  
| where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"

Analytic Rule Definition

id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
name: Spoof attempts with auth failure
description: |
  This query helps in checking for spoofing attempts on the domain with Authentication failures
description-detailed: |
  This query helps in checking for spoofing attempts on the domain with Authentication failures.
  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
requiredDataConnectors:
  - connectorId: MicrosoftThreatProtection
    dataTypes:
      - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  EmailEvents 
  | where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
  | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
  | evaluate bag_unpack(AR)  
  | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
version: 1.0.0

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Technique: T1566 — T1566

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Authentication/Spoof attempts with auth failure.yaml)

False Positive Guidance

• Scenario: Legitimate admin task using net use to map a network drive with incorrect credentials
  Filter/Exclusion: process.name != "net.exe" OR process.args NOT LIKE '%net use%'

• Scenario: Scheduled job running under a service account that fails due to expired password
  Filter/Exclusion: process.user != "DOMAIN\ServiceAccount" OR event_id != 412

• Scenario: User attempting to access a shared folder with incorrect credentials during a file transfer
  Filter/Exclusion: process.name != "explorer.exe" OR process.args NOT LIKE '%\\sharedfolder%'

• Scenario: System service attempting to authenticate with a misconfigured service account
  Filter/Exclusion: process.name != "svchost.exe" OR process.user NOT LIKE '%DOMAIN\ServiceAccount%'

• Scenario: User testing authentication via RDP with incorrect credentials as part of a security test
  Filter/Exclusion: process.name != "mstsc.exe" OR event_id != 412 OR user != "DOMAIN\SecurityTestUser"