Adversaries may spoof internal domains to bypass email security controls and impersonate trusted users within the organization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential spear-phishing campaigns and prevent lateral movement or data exfiltration.
KQL Query
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
SpoofInternalCount = countif(DetectionMethods has_any ('Phish":["Spoof intra-org"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend SpoofInternal_Traffic_Percentage = todouble(round(SpoofInternalCount / todouble(TotalEmailCount) * 100, 2))
| where SpoofInternalCount !=0
| sort by SpoofInternalCount desc
| project P1Sender,P2Sender,SpoofInternalCount,TotalEmailCount,SpoofInternal_Traffic_Percentage
| top 10 by SpoofInternalCount
id: 11c4556a-0d77-47ba-9564-0818065c270d
name: Top Spoof intra-org detections by Sender domain (P1/P2)
description: |
This query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain).
description-detailed: |
This query visualises total emails with Phish-Spoof-internal domain detections summarizing the data by the top 10 email sender P2 domain (SenderFromDomain) and sender P1 domain (SenderMailFromDomain). Adding additional insights for total inbound emails and Spoof internal domain detection traffic percentage for each sender domain.
Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where EmailDirection == "Inbound"
| summarize TotalEmailCount = count(),
SpoofInternalCount = countif(DetectionMethods has_any ('Phish":["Spoof intra-org"]')) by P1Sender=SenderMailFromDomain, P2Sender=SenderFromDomain
| extend SpoofInternal_Traffic_Percentage = todouble(round(SpoofInternalCount / todouble(TotalEmailCount) * 100, 2))
| where SpoofInternalCount !=0
| sort by SpoofInternalCount desc
| project P1Sender,P2Sender,SpoofInternalCount,TotalEmailCount,SpoofInternal_Traffic_Percentage
| top 10 by SpoofInternalCount
version: 1.0.0
| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
Scenario: Internal email relaying via Microsoft Exchange hybrid environment
Description: Emails sent from a hybrid Exchange environment may have the sender domain set to an internal domain (e.g., @example.com) even though the email is relayed through an external service like Office 365.
Filter/Exclusion: Exclude emails where the sender is a known internal relay server or where the email is sent from a Microsoft Exchange server (e.g., @example.com with X-Originating-IP matching internal IP ranges).
Scenario: Scheduled system health checks using PowerShell or Ansible
Description: Automated scripts or tools like PowerShell or Ansible may send emails to internal administrators for system health checks, which could be flagged as spoofed internal emails.
Filter/Exclusion: Exclude emails sent from known system accounts (e.g., [email protected]) or with a specific subject line like “System Health Check” or “Scheduled Task Alert”.
Scenario: User-generated emails with spoofed sender domains for testing
Description: Users may intentionally spoof internal domains for testing purposes (e.g., testing email headers or phishing simulations) which can trigger the detection rule.
Filter/Exclusion: Exclude emails with a Message-ID or Received header that indicates the email was sent from a test environment or a sandboxed system (e.g., [email protected] or X-Test-Email: Yes).
Scenario: Email notifications from internal monitoring tools (e.g., Splunk, SolarWinds)
Description: Internal monitoring tools may send emails to administrators with sender domains that appear internal, leading to false positives.
Filter/Exclusion: Exclude emails where the sender is a known monitoring tool account (e.g., [email protected]) or where the email contains a specific header like `X-Monitor