Spoof Detections by Detection Technology Trend

Hunt Hypothesis

Adversaries may be using spoofed email addresses to mimic legitimate detection technologies, attempting to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential BEC attacks that bypass traditional detection mechanisms.

KQL Query

let TimeStart = startofday(ago(30d));
let TimeEnd = startofday(now());
let baseQuery = EmailEvents
| where DetectionMethods has "Phish";
let sdmarc=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Phish has 'Spoof DMARC' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Spoof DMARC";
let spoofe=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Phish has 'Spoof external domain' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Spoof external domain";
let spoofi=baseQuery
| project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
| where Phish has 'Spoof intra-org' 
| make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
| extend Details = "Spoof intra-org";
union sdmarc, spoofe, spoofi
| project Count, Details, Timestamp
| render timechart

Analytic Rule Definition

id: 0f47b36b-0d8e-4a55-b9a7-3dfa4ad5b744
name: Spoof Detections by Detection Technology Trend
description: |
  This query visualises total emails with Phish (BEC) Spoof detections by Detection Technology over time
description-detailed: |
  This query visualises total emails with Phish Business Email Compromise (BEC) Spoof detections over time summarizing the data daily by various Impersonation Detection technologies/controls in Microsoft Defender for Office 365.
  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - EmailEvents
tactics:
  - InitialAccess
relevantTechniques:
  - T1566
query: |
  let TimeStart = startofday(ago(30d));
  let TimeEnd = startofday(now());
  let baseQuery = EmailEvents
  | where DetectionMethods has "Phish";
  let sdmarc=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Phish has 'Spoof DMARC' 
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Spoof DMARC";
  let spoofe=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Phish has 'Spoof external domain' 
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Spoof external domain";
  let spoofi=baseQuery
  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
  | where Phish has 'Spoof intra-org' 
  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
  | extend Details = "Spoof intra-org";
  union sdmarc, spoofe, spoofi
  | project Count, Details, Timestamp
  | render timechart
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`EmailEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1566 — T1566

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Email and Collaboration Queries/Spoof and Impersonation/Spoof detections by Detection Technology Trend.yaml)

False Positive Guidance

Scenario: Scheduled System Job Sending Test Emails
Description: A scheduled job (e.g., cron job or Windows Task Scheduler) sends test emails to internal users for validation purposes. These emails are flagged as spoofed due to the sender’s email domain not matching the recipient’s domain.
Filter/Exclusion: Exclude emails sent by known system jobs or scheduled tasks (e.g., sender = "[email protected]" or subject LIKE '%Test Email%').
Scenario: Admin Task to Reset Passwords via Email
Description: An admin uses an internal tool (e.g., Microsoft Exchange Online or Google Workspace Admin Console) to send password reset emails to users. These emails may be flagged as spoofed due to the sender’s email domain not matching the recipient’s domain.
Filter/Exclusion: Exclude emails sent by admin tools (e.g., sender = "[email protected]" or subject LIKE '%Password Reset%').
Scenario: Email Forwarding Rule in Outlook
Description: A user has an email forwarding rule in Outlook that forwards emails to another internal email address. The forwarded email may be flagged as spoofed because the sender’s email domain appears different.
Filter/Exclusion: Exclude emails that are forwarded (e.g., header "X-Forwarded-For" EXISTS or header "X-MS-Exchange-Organization-Forwarded" = "true").
Scenario: Internal Monitoring Tool Sending Alerts
Description: An internal monitoring tool (e.g., Splunk, Datadog, or Prometheus) sends alert emails to the security team. These emails may be flagged as spoofed due to the sender’s email domain not matching the recipient’s domain.
Filter/Exclusion: Exclude emails sent by monitoring tools (e.g., `sender =