Adversaries may be spoofing email domains to bypass DMARC policies and exfiltrate data or deliver phishing payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential email-based attacks that evade standard detection mechanisms.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
DMARCFailCount = countif(DetectionMethods has_any ('Phish":["Spoof DMARC"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend DMARCFail_Traffic_Percentage = todouble(round(DMARCFailCount / todouble(TotalEmailCount) * 100, 2))
| where DMARCFailCount !=0
| sort by DMARCFailCount desc
| project P1Sender,P2Sender,DMARCFailCount,TotalEmailCount,DMARCFail_Traffic_Percentage
| top 10 by DMARCFailCount
id: 633f848f-bb17-4813-81b4-098d277b00f7
name: Top Spoof DMARC detections by Sender domain (P1/P2)
description: |
This query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
description-detailed: |
This query visualises total emails with Spoof-DMARC fails detections summarizing the data by the top email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain). Adding additional insights for total inbound emails and DMARC fail traffic percentage for each sender domain.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
DMARCFailCount = countif(DetectionMethods has_any ('Phish":["Spoof DMARC"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend DMARCFail_Traffic_Percentage = todouble(round(DMARCFailCount / todouble(TotalEmailCount) * 100, 2))
| where DMARCFailCount !=0
| sort by DMARCFailCount desc
| project P1Sender,P2Sender,DMARCFailCount,TotalEmailCount,DMARCFail_Traffic_Percentage
| top 10 by DMARCFailCount
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Legitimate email relay through a third-party email service provider (e.g., SendGrid, Mailgun) that uses a shared sender domain.
Filter/Exclusion: Exclude emails where the sender domain is associated with a known email service provider or use a SenderMailFromDomain filter to exclude domains like mailgun.org, sendgrid.net, or smtp-relay.gmail.com.
Scenario: Scheduled system job or admin task that sends automated emails (e.g., backup reports, system alerts) using a non-DMARC-protected domain.
Filter/Exclusion: Exclude emails sent by known system accounts or scheduled tasks (e.g., root@localhost, [email protected]) using a SenderFromDomain filter or by checking the X-Message-ID header for system-generated messages.
Scenario: Internal email forwarding or aliasing where the sender domain is not properly configured with DMARC, but the email is legitimate.
Filter/Exclusion: Exclude emails where the SenderFromDomain matches internal domains (e.g., internal.company.com, intra.company.net) or use a SenderMailFromDomain filter to exclude internal email aliases.
Scenario: Email sent by a legitimate user using a personal email account (e.g., Gmail, Outlook) for business purposes, which may not be aligned with the organization’s DMARC policy.
Filter/Exclusion: Exclude emails where the SenderFromDomain is a personal email domain (e.g., [email protected], [email protected]) or use a SenderFromDomain filter to exclude known personal email domains.
Scenario: Email sent by a legitimate partner or vendor using a domain that is not aligned with the organization’s DMARC policy but is still a valid business contact.
Filter/Exclusion: Exclude emails from known partner domains (e