Agent Foskett Hub

New: Agent Foskett Academy — Learn KQL Through Real Investigations A practical learning path for KQL, Microsoft Defender XDR, Sentinel and Microsoft security telemetry. Start with the basics, then build toward real threat hunting investigations.

Lesson: KQL is not just syntax — it is how investigators ask better questions of security data.

Academy Learn KQL Defender XDR

Episode: Start Here: Microsoft Defender KQL Threat Hunting Guide The core Agent Foskett playbook. Real KQL queries used to detect spoofed email, authentication failures, suspicious sign-ins, URL clicks and hidden activity across Microsoft Defender, Sentinel and Entra ID.

Lesson: security isn’t only about alerts — it’s about asking the right questions of your data.

KQL Threat Hunting Microsoft Defender

Episode: Microsoft Defender KQL Threat Hunting (Complete Guide) The full Agent Foskett investigation playbook. Follow real-world attack paths across Microsoft Defender using KQL — from email spoofing and DMARC failures to URL clicks, identity pivots, endpoint behaviour and cloud activity.

Lesson: the alerts don’t tell the full story — the data does. Follow the behaviour, not just the signal.

KQL Threat Hunting Microsoft Defender Investigation

Episode: KQL Threat Hunting Alerts are useful, but they are not the full investigation.

This Agent Foskett briefing introduces practical KQL threat hunting across Microsoft Defender, Sentinel and Entra ID, showing how simple queries can uncover suspicious sign-ins, email activity, endpoint behaviour and patterns that dashboards may not explain.

Lesson: KQL helps security teams move from waiting for alerts to actively asking better questions of their data.

KQL Threat Hunting Microsoft Security

Episode: Microsoft Defender Email Security KQL Queries The email looked real, but the domains did not line up.

This Agent Foskett investigation uses KQL, EmailEvents and AuthenticationDetails to detect spoofed sender domains, DMARC failures, sender mismatch and suspicious delivery outcomes inside Microsoft Defender.

Lesson: email spoofing is often visible in the data before it is obvious to the user. The trick is knowing which fields to compare.

EmailEvents KQL Email Spoofing

Episode: Using startswith and endswith in KQL Not every investigation starts with an exact match. Sometimes defenders need to find domains, file names, command lines or account values based on how the text begins or ends.

This Agent Foskett lesson explains how startswith and endswith help narrow evidence during Microsoft Defender XDR and Sentinel investigations.

Lesson: useful filtering often begins by understanding the shape of the evidence, not just the exact value.

KQL startswith endswith Threat Hunting

Episode: The User Clicked Accept… And Gave Away The Entire Mailbox The user never typed their password into a fake website. MFA succeeded. No malware was downloaded. No endpoint alert immediately fired.

Everything looked legitimate.

But the user approved a malicious OAuth application and granted access to the mailbox through Microsoft 365 permissions. This Agent Foskett investigation explores OAuth consent phishing, malicious app permissions, offline access, mailbox visibility and why successful MFA does not always mean the session is safe.

Lesson: MFA proves the user authenticated — it does not prove the application they authorised was trustworthy. Sometimes the attacker does not steal the password. They convince the user to click Accept.

OAuth Consent Microsoft 365 Entra ID Mailbox Access KQL

Episode: The OAuth App Asked For Permission The password was never stolen. MFA succeeded. Everything looked legitimate.

Then the user clicked Accept.

That single approval granted an application permission inside Microsoft 365. No malware was required. No password was needed.

This Agent Foskett investigation explores OAuth consent abuse, application permissions, service principals, Microsoft Entra ID and how attackers can gain access through trusted application workflows.

Lesson: MFA proves the user authenticated. It does not prove the application they authorised was trustworthy.

OAuth Consent Microsoft Entra ID Service Principals Application Permissions Microsoft 365

Episode: The Service Principal Had Global Administrator The user account looked normal. MFA succeeded. No compromised credentials were found.

Then the permissions were reviewed.

A service principal had Global Administrator-level access.

This Agent Foskett investigation explores Microsoft Entra ID, service principals, enterprise applications, privileged permissions and how application identities can quietly become one of the most powerful attack paths inside a Microsoft 365 tenant.

Lesson: attackers do not always need a privileged user account. Sometimes the most dangerous identity in the tenant is an application nobody is monitoring.

Service Principals Microsoft Entra ID Global Administrator Enterprise Applications KQL

Episode: The MFA Method Was Added At 3:14AM The account had MFA enabled. The password had already been changed. Everything appeared secure.

Then the authentication methods were reviewed.

A new MFA method had been added at 3:14AM. The user was asleep.

This Agent Foskett investigation explores suspicious MFA registration, Microsoft Entra ID AuditLogs, authentication method changes, account takeover persistence and why password resets alone do not always remove attacker access.

Lesson: attackers do not always bypass MFA. Sometimes they register their own method and become part of the trusted authentication path.

MFA Registration Microsoft Entra ID AuditLogs Account Takeover KQL

Episode: The Login Was Successful But The Risk Was High The password was correct. MFA succeeded. The user reached Microsoft 365 without issue.

Everything looked normal.

Then Entra ID flagged the sign-in as High Risk.

The login was successful. The investigation was only beginning.

This Agent Foskett investigation explores Microsoft Entra ID Identity Protection, risky sign-ins, SigninLogs, impossible travel indicators, unfamiliar locations, Conditional Access decisions and why successful authentication does not automatically mean a session is trustworthy.

Lesson: a successful login confirms authentication. It does not guarantee the identity, device, location or session can be trusted.

Risky Sign-Ins Microsoft Entra ID Identity Protection SigninLogs KQL

Episode: The Impossible Travel Alert Was Wrong The alert looked serious.

A user appeared to sign in from Melbourne and then Singapore only minutes later. No commercial flight could explain the journey.

The risk score increased. The investigation suggested account compromise.

Then the device details, IP addresses and session timeline told a different story.

This Agent Foskett investigation explores Microsoft Entra ID Impossible Travel alerts, VPN exit nodes, risky sign-ins, device continuity, identity telemetry and why unusual location data does not always mean the user account was compromised.

Lesson: Impossible Travel alerts are investigation leads, not final verdicts. The alert may be real while the compromise is not.

Impossible Travel Microsoft Entra ID Risky Sign-Ins VPN Investigation KQL

Episode: Impossible Travel Sign-In Investigation The sign-in looked impossible. One location appeared in the logs, then another location appeared shortly after.

This Agent Foskett investigation explores impossible travel sign-ins, suspicious location changes, risky authentication events and why identity telemetry must be reviewed before assuming the account is safe or compromised.

Lesson: impossible travel is not a conclusion. It is a signal that starts the identity investigation.

Impossible Travel SigninLogs Microsoft Entra ID Identity Protection

Episode: The MFA Prompt Looked Normal The user had MFA enabled. The prompt appeared on their phone. The Microsoft sign-in flow looked familiar.

No malware alert fired. No suspicious attachment was opened. No impossible travel alert immediately explained what happened.

But the phone kept buzzing. Again and again.

Eventually, the user pressed Approve. This Agent Foskett investigation explores MFA fatigue attacks, push bombing, repeated authentication prompts, suspicious sign-in behaviour and why a normal-looking MFA prompt can still be part of an active compromise.

Lesson: MFA is essential, but users must understand that unexpected MFA prompts are security events. The prompt may be real — but the person triggering it may not be.

MFA Fatigue Push Bombing Microsoft Entra ID SigninLogs KQL

Episode: The QR Code Was Trusted Nobody typed a password. Nobody downloaded malware. The desktop stayed clean.

The user simply scanned a QR code. The Microsoft 365 login page looked familiar. The authentication flow looked legitimate.

But the QR code redirected the user into a credential harvesting and session theft workflow designed to move the attack away from the protected corporate device and onto a trusted mobile phone.

This Agent Foskett investigation explores QR phishing attacks, mobile authentication abuse, suspicious sign-ins, token theft, Microsoft Entra ID investigations and how attackers increasingly abuse trusted mobile workflows inside Microsoft 365 environments.

Lesson: the QR code itself may look harmless — but once a trusted mobile device approves the session, the attacker may inherit legitimate access without ever deploying malware.

QR Phishing Quishing Microsoft Entra ID Session Hijacking KQL

Episode: The User Passed MFA… But It Wasn’t Really Them The sign-in looked legitimate. The password was correct. MFA was approved. The session was trusted.

No impossible travel alert. No failed login attempts. Nothing appeared obviously malicious.

But the attacker never needed to bypass MFA. They inherited the authenticated session instead. This Agent Foskett investigation explores session hijacking, token theft, browser cookie abuse and how attackers operate inside trusted Microsoft 365 sessions after authentication has already succeeded.

Lesson: Successful MFA does not automatically prove the identity is safe. Modern attacks increasingly target session tokens, browser cookies and inherited trust, making behavioural analysis and identity investigation critical.

Microsoft Entra ID Session Hijacking Threat Hunting

Episode: The Login Came Through A Trusted Device The sign-in looked legitimate. The user authenticated successfully. MFA passed. The device was compliant. Conditional Access allowed the session.

But the attacker was already inside the trusted device. This Agent Foskett investigation explores how modern attackers abuse legitimate corporate endpoints, session tokens, browser cookies and inherited trust inside Microsoft environments.

Lesson: A compliant or trusted device does not automatically mean safe activity. Modern attacks increasingly operate inside legitimate authentication flows, making behavioural analysis, endpoint telemetry and identity investigation critical.

Microsoft Entra ID Conditional Access Threat Hunting

Episode: The Inbox Rule Hid The Evidence The email was gone. No warning. No deletion alert. No sign of the message in the inbox.

But after a suspicious sign-in, a new inbox rule appeared. Messages were quietly moved out of sight before anyone knew to investigate.

This Agent Foskett investigation explores hidden mailbox rules, CloudAppEvents, EmailEvents, UrlClickEvents and KQL to uncover post-compromise activity designed to conceal suspicious email from users and defenders.

Lesson: the evidence is not always deleted. Sometimes attackers simply move it somewhere nobody is looking.

Inbox Rules CloudAppEvents EmailEvents KQL Microsoft 365

Episode: The Inbox Rule Was Created At 2:13AM The login itself did not trigger panic. MFA succeeded. The account was not immediately disabled. No malware alert fired.

But at 2:13AM, a new inbox rule quietly appeared inside the mailbox. The rule forwarded messages externally, moved replies into hidden folders and reduced the chance the user would notice suspicious activity.

This Agent Foskett investigation explores hidden mailbox persistence, suspicious forwarding behaviour and post-authentication compromise activity across Microsoft 365 environments.

Lesson: successful authentication does not mean the investigation is over. Sometimes the real compromise begins after the login succeeds.

OfficeActivity Microsoft 365 Inbox Rules KQL

Episode: The Dashboard Was Green No critical alerts. No active incidents. Everything appeared healthy.

But hidden inside Microsoft Defender XDR telemetry were subtle behavioural signals: unusual sign-ins, suspicious SharePoint activity, persistent sessions and authentication patterns that did not match normal business behaviour.

This Agent Foskett investigation explores why modern security teams must move beyond dashboards and learn how to ask the data better questions.

Lesson: Modern investigations rarely begin with obvious alerts. The most important signals are often buried inside normal-looking telemetry, behavioural patterns and low-severity activity that nobody questioned.

Defender XDR KQL Hunting Security Telemetry

Episode: Cyber Security Is Not Just Antivirus In 2026, many organisations still believe cyber security means installing antivirus software and hoping for the best. But the threat landscape has moved far beyond traditional malware. This Agent Foskett investigation explores identity attacks, persistent sessions, spoofed domains, token theft, cloud telemetry and the hidden signals modern dashboards often miss.

Lesson: Modern attacks often target identities, sessions, cloud services and user behaviour rather than simply dropping malware onto a device. Security today is about visibility, interpretation and understanding the signals behind the events.

Microsoft Security Identity Protection Threat Hunting

Episode: Cyber Security Has Moved Beyond Basic Antivirus Most organisations still ask the same question:

“Did antivirus detect anything?”

But modern attacks rarely look like traditional malware anymore. The dashboard may stay green while attackers operate quietly through trusted sessions, successful MFA prompts, OAuth abuse, browser token theft and suspicious cloud activity.

This Agent Foskett investigation explores why Microsoft Defender XDR, Sentinel, Entra ID telemetry and KQL threat hunting have become critical for investigating the hidden signals modern antivirus often misses.

Lesson: modern cyber security is no longer only about blocking malware — it is about understanding behaviour, identity, telemetry and the signals hidden inside trusted activity.

Microsoft Defender XDR Threat Hunting KQL Identity Security Microsoft Sentinel

Episode: The Session Token Never Expired The user had not entered their password in months. No MFA prompt. No reauthentication. Every morning the laptop simply opened straight into Outlook, Teams and SharePoint. This investigation explores persistent Microsoft 365 sessions, refresh tokens, remembered devices and the growing security risks created when convenience quietly overrides identity controls.

Lesson: MFA does not automatically mean the session is safe. Long-lived authentication, persistent browser sessions and weak sign-in controls can quietly become one of the biggest blind spots in modern environments.

Session Security Refresh Tokens Conditional Access

Episode: The VPN Login Continued After The Exit Meeting The employee had already been terminated. The laptop had been returned. HR believed access had been removed — but the VPN login attempts continued. This investigation explores incomplete offboarding, persistent sessions, identity gaps and the operational risks that survive after employee termination.

Lesson: Disabling an account is not always the same as removing access. Security visibility must extend across VPNs, sessions, devices, cloud apps and identity systems.

Identity Security VPN Access Offboarding

Episode: The User Shared The File With Everyone The document was supposed to be internal. The link was only meant for a few people. Everything looked normal.

Then the permissions were checked.

The file was accessible to everyone. This Agent Foskett investigation explores SharePoint sharing links, OneDrive permissions, anonymous access, external collaboration and how sensitive information can become exposed without a single attacker.

Lesson: data breaches do not always begin with malware or compromise. Sometimes the risk starts with a sharing setting nobody questioned.

SharePoint OneDrive Data Exposure

Episode: The User Was Disabled… But The Account Was Still Active HR confirmed the employee had left. The Microsoft 365 account was disabled. The laptop had supposedly been returned.

But the investigation showed something uncomfortable: active sessions were still alive, authentication tokens still existed, and access continued quietly in the background.

This Agent Foskett investigation explores incomplete offboarding, persistent Microsoft 365 sessions, refresh token survival, remembered devices and why disabling an account does not always terminate access immediately.

Lesson: disabling a user account is only part of offboarding. If sessions, tokens and trusted devices are not reviewed properly, access may quietly survive long after the employee has left.

Offboarding Session Security Microsoft Entra ID Conditional Access

Episode: The User Was Added To A Privileged Group At 3:12AM The sign-in looked legitimate. MFA succeeded. The account already appeared trusted.

No impossible travel alert. No malware detection. No obvious compromise warning.

But at 3:12AM, the user was quietly added to a privileged Microsoft Entra ID role. Global Administrator.

This Agent Foskett investigation explores privilege escalation, suspicious role assignments, PIM abuse, overnight administrative access and how attackers quietly move from user access to tenant control inside Microsoft 365.

Lesson: modern compromise does not always begin with ransomware or malware — sometimes it begins with a privileged role assignment nobody questioned.

Microsoft Entra ID Privilege Escalation AuditLogs KQL

Episode: The Conditional Access Policy Was In Report-Only Mode The policy existed. MFA was configured. Device compliance was evaluated. risky sign-ins were being assessed.

Everything looked like it was protected.

But the policy was still in Report-Only mode. It evaluated the sign-in, recorded the result, and showed what would have happened.

It did not block anything.

This Agent Foskett investigation explores Conditional Access policies, report-only evaluation, MFA enforcement gaps, sign-in logs and the dangerous difference between a control that exists and a control that is actually enforced.

Lesson: a security policy that only reports is not the same as a security policy that protects. Visibility is useful — but enforcement is what stops the session.

Conditional Access Report-Only Microsoft Entra ID SigninLogs

Episode: “Misconfigurations That Passed Health Checks But Failed Reality” — The Operational Gaps Hidden Behind Healthy Dashboards Microsoft Defender was deployed. Sentinel was collecting logs. MFA was enabled. Secure Score looked healthy.

Yet during investigation, operational exposure still existed beneath apparently compliant Microsoft environments.

This Agent Foskett briefing explores how exclusions, configuration drift, incomplete telemetry and overlooked assumptions quietly survive inside environments that technically appear secure.

Lesson: dashboards may confirm configuration — but investigations reveal operational reality.

Microsoft Sentinel Microsoft Defender XDR KQL Threat Hunting

Episode: I Opened The New Defender Portal… Now What? Microsoft changed the experience. Sentinel moved into Defender. The dashboards looked empty. Widgets said “No data.” Automation rules were missing. Secure Score looked confusing.

Nothing appeared broken… but nothing made sense either.

This Agent Foskett briefing explains the new unified Microsoft Defender and Sentinel experience, why the portal looks different, what UEBA actually means, why dashboards appear empty at first, and the first things organisations should configure after onboarding.

Lesson: an empty dashboard does not mean nothing is happening — it usually means the investigation visibility has not been configured yet.

Microsoft Defender Microsoft Sentinel UEBA Threat Hunting KQL

Episode: The Process Tree Told The Real Story The antivirus alert never triggered. The file looked legitimate. Signed by Microsoft. No obvious incident.

But one process launched another. Then another. Then PowerShell spawned silently in the background.

This Agent Foskett investigation follows parent and child process relationships inside Microsoft Defender XDR, using DeviceProcessEvents and KQL to uncover suspicious execution chains that dashboards may never explain.

Lesson: a single process name rarely tells the full story. The real investigation begins when you follow the parent, the child and the command line.

DeviceProcessEvents Process Tree Microsoft Defender XDR KQL Endpoint Investigation

Episode: The Child Process Shouldn't Have Existed The alert itself wasn't unusual.

A user opened a Word document. Nobody worries when WINWORD.EXE starts.

Then Word launched PowerShell.

The parent process made sense. The child process did not.

This Agent Foskett investigation follows parent-child process relationships inside Microsoft Defender XDR using DeviceProcessEvents, ProcessCommandLine analysis and KQL to uncover suspicious execution chains hidden behind trusted applications.

Lesson: a process is only part of the story. The real investigation begins when you ask who launched it, why it appeared and whether it should have existed at all.

DeviceProcessEvents Process Analysis Microsoft Defender XDR KQL Threat Hunting

Episode: The Timeline Told The Story The sign-in looked normal.

The data access looked normal.

The lateral movement looked normal.

The timeline changed everything.

This Agent Foskett investigation explores how Microsoft Defender XDR, IdentityLogonEvents, DeviceEvents, CloudAppEvents and KQL can reconstruct attacks by connecting events that appear unrelated in isolation.

Lesson: individual events rarely tell the full story. The timeline is where investigations become evidence.

Timeline Analysis Microsoft Defender XDR KQL Investigation Threat Hunting

Episode: The Device Was Talking To Something It Shouldn't No malware alert. No ransomware warning. No user complaint. The endpoint looked healthy.

But one device kept reaching out to an IP address nobody recognised. Every hour. Every day.

This Agent Foskett investigation explores how Microsoft Defender XDR, DeviceNetworkEvents, DeviceProcessEvents, remote IP analysis and KQL can reveal suspicious outbound communications hidden inside normal device activity.

Lesson: endpoint investigations do not stop at process names. Network behaviour can reveal what the device was really trying to reach.

DeviceNetworkEvents DeviceProcessEvents Microsoft Defender XDR KQL Endpoint Investigation

Episode: The Connection Happened At 1:22AM Nobody was supposed to be working.

Yet at exactly 1:22AM, a workstation connected to an IP address nobody recognised.

No alert fired. No ticket was created.

This Agent Foskett investigation explores how Microsoft Defender XDR, DeviceNetworkEvents, DeviceProcessEvents and KQL can uncover suspicious after-hours activity hidden inside normal endpoint telemetry.

Lesson: a connection may look normal during business hours. The same connection at 1:22AM can completely change the investigation.

DeviceNetworkEvents DeviceProcessEvents Microsoft Defender XDR KQL After-Hours Activity

Episode: “The PowerShell Never Triggered An Alert” — The Activity Defender Saw But Nobody Investigated No ransomware. No critical alert. No obvious malware detection.

Just a quiet PowerShell process using encoded commands, hidden execution and suspicious outbound behaviour that blended into normal activity.

This Agent Foskett briefing explores how Microsoft Defender telemetry can reveal suspicious execution chains even when no incident is generated.

Lesson: real attacks do not always trigger alarms — sometimes they execute quietly until somebody notices the behaviour.

PowerShell Threat Hunting KQL Microsoft Defender XDR

Episode: The PowerShell Command Was Base64 Encoded No ransomware alert. No obvious malware. No suspicious filename.

Just a PowerShell command and a long string of characters that looked meaningless.

But the command wasn't meaningless. It was encoded.

This Agent Foskett investigation explores Base64 encoded PowerShell commands, DeviceProcessEvents, ProcessCommandLine analysis, suspicious parent processes and how Microsoft Defender XDR can reveal activity hidden inside encoded execution chains.

Lesson: encoded commands are not automatically malicious — but they are often worth investigating. The real story is rarely the encoded text itself. It is what happened after the command executed.

PowerShell DeviceProcessEvents KQL Microsoft Defender XDR Threat Hunting

Episode: The EncodedCommand Was Buried In Noise The alert wasn't critical. No ransomware was detected. No malware family was identified.

Just thousands of normal process events. Software updates. Management agents. Defender activity. Scheduled tasks.

Buried inside that operational noise was a single PowerShell EncodedCommand.

This Agent Foskett investigation explores PowerShell EncodedCommand activity, DeviceProcessEvents, ProcessCommandLine analysis, parent-child process relationships and how Microsoft Defender XDR can reveal suspicious execution hidden inside normal endpoint telemetry.

Lesson: the attacker didn't hide the command. They hid it among everything else. The telemetry existed the entire time — someone just had to keep looking.

EncodedCommand PowerShell DeviceProcessEvents Microsoft Defender XDR KQL

Episode: The Browser Spawned PowerShell The browser was trusted. PowerShell was trusted. The user was trusted.

But the process chain was not.

Microsoft Defender XDR showed a browser process launching PowerShell, creating an execution path that deserved investigation.

This Agent Foskett investigation explores browser-spawned PowerShell, DeviceProcessEvents, parent-child process relationships, suspicious command lines, fake verification prompts and how endpoint telemetry can reveal activity hidden behind trusted applications.

Lesson: trusted applications can still create suspicious process chains. The browser was not the problem by itself. PowerShell was not the problem by itself. The relationship between them changed the investigation.

Browser Spawned PowerShell DeviceProcessEvents Process Chain Microsoft Defender XDR KQL

Episode: Rundll32 Looked Legitimate Signed Microsoft binary. Running from System32. No obvious malware alert. No user complaint.

Everything looked legitimate — until Microsoft Defender XDR telemetry showed unusual command-line arguments, suspicious DLL execution paths, strange parent process activity and unexpected outbound connections.

This Agent Foskett investigation explores how attackers abuse trusted Windows binaries like rundll32.exe, and how DeviceProcessEvents and DeviceNetworkEvents can reveal behaviour that the filename alone does not explain.

Lesson: trusted process names do not automatically mean trusted behaviour. The real question is what the process was actually doing.

Rundll32 LOLBin DeviceProcessEvents Microsoft Defender XDR KQL

Episode: The Process Was Signed By Microsoft The file was signed. The publisher looked trusted. No malware alert fired.

Everything appeared legitimate — until Microsoft Defender XDR telemetry revealed suspicious command lines, unusual parent process activity, LOLBin behaviour and outbound network connections that did not fit normal activity.

This Agent Foskett investigation explores how attackers abuse trusted Microsoft-signed binaries and why defenders must investigate behaviour, not just signatures.

Lesson: a trusted signature does not automatically mean trusted behaviour. The real investigation begins when you ask what the process actually did.

Microsoft Defender XDR LOLBin Signed Processes DeviceProcessEvents KQL

Episode: The CertUtil Command Downloaded Something At 2:17AM The executable was signed by Microsoft. It already existed on every workstation. No malware alert fired.

Then CertUtil.exe downloaded a file from the internet.

The binary was trusted. The behaviour was not.

This Agent Foskett investigation explores CertUtil abuse, Living-Off-The-Land Binaries (LOLBins), DeviceProcessEvents, ProcessCommandLine analysis and how Microsoft Defender XDR can uncover suspicious downloads hidden behind legitimate Windows utilities.

Lesson: trusted binaries are not automatically trustworthy. The real investigation begins when you examine the command line, the parent process and what happened next.

CertUtil LOLBin DeviceProcessEvents Microsoft Defender XDR KQL

Episode: The Attachment Was Never Opened The email arrived quietly. The attachment passed initial checks. The user said they never opened it.

But later, Microsoft Defender XDR showed suspicious file activity, PowerShell execution, outbound connections and endpoint behaviour that pointed toward something far more serious.

This Agent Foskett investigation follows attachment telemetry, SHA256 pivots, DeviceFileEvents and post-delivery activity across Microsoft Defender XDR.

Lesson: the dangerous part is not always the attachment itself — it is what happens after the file reaches the endpoint.

Microsoft Defender XDR EmailAttachmentInfo DeviceFileEvents KQL

Episode: The User Opened The Attachment Two Days Later The email looked harmless. It arrived on Monday morning. Nobody reported it. No alert fired.

Then on Wednesday afternoon, the attachment was opened.

This Agent Foskett investigation explores how Microsoft Defender XDR, EmailEvents, EmailAttachmentInfo, NetworkMessageId, timestamps and KQL can reveal when a suspicious attachment becomes dangerous long after the email was delivered.

Lesson: email delivery is not the end of the investigation. An attachment opened days later can turn old mailbox telemetry into a live security incident.

EmailAttachmentInfo EmailEvents NetworkMessageId KQL Microsoft Defender XDR

Episode: UrlClickEvents The email was only part of the story. The click revealed what happened next.

This Agent Foskett briefing explains how UrlClickEvents can help defenders investigate clicked links, allowed clicks, blocked clicks, delayed user activity and post-delivery behaviour inside Microsoft Defender XDR.

Lesson: delivery tells you the message arrived. UrlClickEvents tells you whether the user interacted with it.

UrlClickEvents EmailEvents Microsoft Defender XDR KQL

Episode: The Email Promised $5,695. The Link Told A Different Story The email claimed an inactive account contained $5,695 waiting to be claimed.

All the recipient had to do was reply and begin the ownership confirmation process.

But the sender was using Gmail. The contact method was Telegram. And hidden inside the message was a tracking link.

This Agent Foskett investigation explores advance-fee social engineering, suspicious contact channels, fake unsubscribe prompts, Google Script tracking links, recipient identifiers and why engagement can be the real prize.

Lesson: the money was bait. The tracking link revealed the real investigation — who clicked, who replied and which mailbox had a human behind it.

Social Engineering Email Tracking Phishing Telegram Investigation

Episode: The Agreement Was Ready. The Sender Wasn't. A vendor agreement had supposedly been prepared for GEMXIT.

The email included a reference number, a compliance contact and a link to open the document.

But it wasn't coming from GEMXIT.

It was coming from halloweenville.uk.

This Agent Foskett investigation explores domain impersonation, redirect links, suspicious sender infrastructure and why routine business emails can be some of the most effective social engineering attacks.

Lesson: the agreement looked legitimate. The sender infrastructure told a different story.

Social Engineering Email Security Domain Analysis Phishing Investigation

Episode: The Disney Email Wasn’t From Disney The Disney branding looked real. The layout looked polished. The message claimed a subscription update was needed.

But the sender was not Disney. The email came from an unrelated domain, used tracking infrastructure, and pushed the recipient toward suspicious external links.

This Agent Foskett investigation explores brand impersonation, sender mismatch, redirect chains and phishing analysis using Microsoft Defender XDR, EmailEvents and UrlClickEvents.

Lesson: branding is not identity. A phishing email can look perfect on the surface while the sender, authentication signals and redirect chain tell a completely different story.

Phishing Brand Impersonation EmailEvents UrlClickEvents Microsoft Defender

Episode: The Secure File Came From A Body Contouring Clinic The email looked like Microsoft. A secure document was waiting. The GEMXIT name was used.

But the sender was not Microsoft. The sender was not GEMXIT.

This Agent Foskett investigation explores Microsoft brand impersonation, display name spoofing, secure document phishing lures, copied email threads and how sender evidence can expose the story the email body tried to hide.

Lesson: branding is not identity. The display name may look trusted, but the sender address and telemetry tell the real story.

Microsoft Impersonation Phishing Display Name Spoofing EmailEvents KQL

Episode: The Invoice Wasn't An Email. It Was A Calendar Invite The message claimed an Avast subscription had renewed. The amount was $473 USD. The phone numbers looked urgent.

But the scam wasn't hiding in an email attachment. It wasn't a fake login page.

It arrived as a calendar invitation.

This Agent Foskett investigation explores fake subscription renewals, calendar invitation abuse, social engineering, phone-based scams and how attackers increasingly use trusted platforms like Outlook and Google Calendar to bypass traditional email suspicion.

Lesson: attackers don't always want your password. Sometimes they just want you to call the number they control. The invitation looked legitimate. The organiser told a very different story.

Calendar Scam Phishing Social Engineering Email Security Microsoft Defender

Episode: Detect Email Spoofing in Microsoft Defender Most spoofed emails don’t trigger alerts.

This is the full detection guide using real Microsoft Defender data — EmailEvents, AuthenticationDetails, DMARC failures, spoofed domains and user click activity.

👉 Built from real-world investigations where everything looked “normal”… until it wasn’t.

Lesson: attackers don’t always break in — sometimes they just look trusted. Your job is to prove they’re not.

Email Spoofing KQL Microsoft Defender DMARC

Episode: SpoofedDomain in EmailEvents: What It Means and How to Investigate It The sender looked trusted. The email looked legitimate. The domain appeared familiar.

But the telemetry told a different story.

This Agent Foskett investigation explores SpoofedDomain, AuthenticationDetails, DMARC failures, sender alignment and Microsoft Defender XDR EmailEvents telemetry to help defenders investigate suspicious email behaviour using KQL.

Lesson: trust is not built from what the user sees — it is built from what the telemetry proves.

SpoofedDomain EmailEvents AuthenticationDetails KQL Microsoft Defender

Episode: The EmailAuthenticationResults Looked Fine The sender looked trusted. The email passed through the environment quietly. The inbox showed nothing suspicious.

But hidden inside Microsoft Defender XDR telemetry, EmailAuthenticationResults and AuthenticationDetails revealed a very different story.

This Agent Foskett investigation explores SPF, DKIM, DMARC, sender alignment, SpoofedDomain analysis and suspicious email authentication behaviour using KQL inside Microsoft Defender.

Lesson: successful authentication does not automatically mean trusted behaviour — the investigation starts when you compare what the user saw against what the telemetry proved.

EmailAuthenticationResults AuthenticationDetails EmailEvents KQL Microsoft Defender

Episode: SpoofedDomain and EmailEvents in Microsoft Defender The email looked legitimate.

But the data told a different story — SpoofedDomain signals, EmailEvents, AuthenticationDetails, DMARC failures and suspicious sender alignment all pointed to something that did not add up.

👉 Built for the exact Microsoft Defender hunting questions security teams ask when spoofed email looks trusted.

Lesson: spoofed emails are not always obvious to users — but EmailEvents and AuthenticationDetails can reveal the trust signals that failed behind the scenes.

SpoofedDomain EmailEvents KQL Microsoft Defender

Episode: “We Won $7,146,325.16…” — The Crypto Scam That Didn’t Need Your Password The email looked exciting. The reward looked real. No malware, no exploit — just a message designed to make the user act.

This Agent Foskett briefing shows how modern scams use wallet connections, approval prompts and external channels to bypass traditional security controls.

Lesson: attackers don’t always break in — sometimes they convince you to let them in.

Email Security Phishing Social Engineering Microsoft Defender

Episode: AuthenticationDetails Explained The email passed. The system allowed it. Everything looked fine.

But the authentication didn’t align — DMARC failed, signals conflicted, and the evidence told a different story.

This investigation shows how to read SPF, DKIM, DMARC and CompAuth in Microsoft Defender using KQL.

Lesson: passed authentication doesn’t always mean trusted — interpretation is where real detection begins.

AuthenticationDetails KQL Microsoft Defender

Episode: SenderFrom vs SenderMailFrom The email looked legitimate. The sender matched what the user expected.

But behind the scenes, the domains didn’t align — what was shown and what was processed were not the same.

This investigation explains how to detect sender mismatch using EmailEvents and why it matters for spoofing detection.

Lesson: what the user sees isn’t always what the system processed — mismatched domains are where spoofing begins.

EmailEvents Sender Mismatch Microsoft Defender

Episode: The Sender Wasn't Really The Sender The display name looked trusted. The visible sender looked familiar. The email appeared to come from the right place.

But Microsoft Defender XDR showed something different.

SenderFromAddress, SenderMailFromAddress, ReturnPath, SpoofedDomain and AuthenticationDetails did not tell the same story.

This Agent Foskett investigation explores sender identity, envelope sender mismatch, spoofed email signals and why the visible From address is only one part of the email investigation.

Lesson: in email investigations, the sender is not always who the user sees. Compare the visible sender, envelope sender, return path and authentication results before trusting the message.

SenderFromAddress SenderMailFromAddress EmailEvents SpoofedDomain KQL

Episode: The DMARC Failure Nobody Investigated The email was delivered. No malware alert. No quarantine action. No user complaint.

But hidden inside AuthenticationDetails was a clue most teams never investigate.

dmarc=fail

This Agent Foskett investigation explores how Microsoft Defender XDR, EmailEvents and KQL can uncover DMARC failures, suspicious sender authentication and messages that deserve deeper investigation.

Lesson: a DMARC failure is not always malicious — but it is always a clue worth investigating.

DMARC AuthenticationDetails EmailEvents KQL Microsoft Defender

Episode: The Link Was Clicked After The Email Was Delivered The email was delivered. No malware alert. No quarantine action. No user complaint.

AuthenticationDetails showed a DMARC failure. Nobody investigated it.

Then somebody clicked the link.

This Agent Foskett investigation explores Microsoft Defender XDR, EmailEvents, NetworkMessageId, UrlClickEvents and KQL to determine what happened after the message reached the inbox.

Lesson: email delivery is not the end of the investigation — what happens after the click often tells the real story.

UrlClickEvents NetworkMessageId EmailEvents KQL Microsoft Defender

Episode: The User Clicked The Link Three Days Later The email arrived on Monday. No alert. No incident. No reason to investigate.

It sat quietly in the inbox for three days.

Then somebody clicked the link.

This Agent Foskett investigation explores how Microsoft Defender XDR, EmailEvents, UrlClickEvents, NetworkMessageId and KQL can reveal when a delayed click turns an old email into an active security incident.

Lesson: email delivery is only the beginning. A link clicked days later can completely change the investigation timeline.

UrlClickEvents NetworkMessageId EmailEvents KQL Microsoft Defender

Episode: DMARC Failed… But the Email Was Delivered The email looked legitimate. The sender felt familiar. No alert was triggered.

But behind the scenes, DMARC had failed — and the message was still delivered.

No block. No warning. Just a trusted email that shouldn’t have been trusted.

Lesson: a delivered email isn’t always a safe email — authentication failures still need investigation.

DMARC Email Spoofing Microsoft Defender

Episode: The Email Passed SPF… But Was Still Malicious SPF passed. DKIM passed. DMARC passed.

The email looked legitimate. Microsoft 365 delivered it successfully. No major alert triggered.

But deeper investigation exposed suspicious reply-chain behaviour, unusual URL activity, compromised sender indicators and authentication signals that did not align with normal business behaviour.

This Agent Foskett investigation explores how malicious emails can still appear trusted inside Microsoft Defender XDR even when authentication checks technically succeed.

Lesson: successful SPF, DKIM and DMARC checks do not automatically make an email safe. Real investigations require behavioural analysis, context and understanding what the telemetry is actually saying.

SPF EmailEvents AuthenticationDetails Microsoft Defender KQL

Episode: The After-Hours Download Nobody Questioned The login looked normal. The account was valid. MFA had already passed.

But late at night, files started moving — dozens of downloads from SharePoint that didn’t match the user, the role, or the time.

No alert triggered. Because technically… everything was allowed.

Lesson: allowed access doesn’t mean safe behaviour — context, timing and volume matter.

SharePoint Data Access Behaviour Analysis

Episode: EmailEvents KQL Guide for Microsoft Defender A practical Agent Foskett guide to understanding EmailEvents in Microsoft Defender. Learn how to read sender fields, interpret AuthenticationDetails, analyse delivery outcomes, and move from suspicious emails to real investigation using KQL.

Lesson: EmailEvents doesn’t just show emails — it shows what actually happened.

EmailEvents KQL Microsoft Defender Email Investigation

Episode: Detect DMARC Fail Emails in Microsoft Defender A focused Agent Foskett investigation into DMARC failures using EmailEvents and AuthenticationDetails. Learn how to find failed authentication, check delivery outcomes, and identify spoofing, misconfigured senders or suspicious email behaviour across your environment.

Lesson: DMARC fail doesn’t mean blocked — it means something doesn’t add up. Start there.

DMARC Email Security KQL Microsoft Defender

Episode: The MFA Was Enabled… But the Attacker Still Got In A real-world Agent Foskett briefing showing how attackers can reuse authenticated sessions even when MFA is enabled, and why Microsoft 365 security needs more than just successful sign-in checks.

Lesson: MFA protects authentication — but session behaviour still needs to be monitored.

MFA Session Hijacking Microsoft 365 Security

Episode: DMARC Failures Explained… with KQL The email looked legitimate… but DMARC told a different story. This guide breaks down real Microsoft Defender KQL queries using EmailEvents and AuthenticationDetails to uncover spoofing, sender misalignment and failed authentication signals.

Lesson: a “DMARC fail” is not always an attack — but it is always a signal worth investigating.

KQL DMARC Defender

Episode: “Detect Email Spoofing in Microsoft 365 with KQL” A practical Agent Foskett briefing using EmailEvents, AuthenticationDetails and KQL to detect spoofed email, failed sender authentication, internal-looking messages and suspicious delivery patterns.

Lesson: if the message looks trusted but the authentication story fails, the real question is what happened next.

Email Security KQL Microsoft 365

Episode: “The Alert Wasn’t Understood” A low-confidence Defender alert showed suspicious PowerShell activity. No action taken. But when correlated across process, network and identity logs, it revealed a coordinated chain.

Lesson: the danger isn’t always the alert — it’s failing to understand what it means.

Defender Sentinel KQL

Episode: “The Email Came From Me” An email appeared to come from the same address it was sent to. No breach, no login, no compromise — just identity spoofing exploiting weak email trust enforcement.

Lesson: if DMARC isn’t enforced, you don’t control your identity — attackers do.

Email Security DMARC Phishing

Episode: The Logs Already Knew No high severity alerts. No incidents. No panic. Just one successful sign-in that looked valid on paper, until Sentinel, Defender and Entra ID exposed impossible travel, token reuse and a stolen session moving quietly.

Lesson: the danger is not always the alert you missed — it is the pattern you never looked for.

KQL Sentinel Entra ID

Episode: “The Missing Click” Everything looked configured correctly in Microsoft 365, yet phishing emails kept getting through. The issue wasn’t a sophisticated attack — it was a transport rule that existed, but was never actually enabled.

Lesson: a security control that exists but isn’t enabled is effectively no control at all.

Microsoft 365 Exchange Online Phishing

Episode: Azure Looked Healthy… Until One VM Failed An Azure finance environment looked fine until a critical VM failed. Backup was failing silently, no restore testing had been done, no ASR existed, and RDP was still exposed to the internet.

Lesson: cloud does not automatically make systems resilient — resilience still has to be engineered.

Azure Backup Resilience

Episode: The RDP Port Was Open… And Everyone Could See It A public-facing RDP service looked harmless until logs revealed global connection attempts and constant probing. Nothing had “happened” yet, but the internet had already noticed it.

Lesson: exposed services are discovered faster than most organisations realise.

RDP Exposure Azure Security

Episode: Public Storage. No Authentication. A storage configuration looked convenient for sharing, but public access left data exposed without meaningful control. The setting was small. The impact could have been huge.

Lesson: one misconfigured storage setting can undo a lot of good security work.

Azure Storage Public Access Data Exposure

Episode: “When Nothing Looks Wrong” No alerts, no outages, no angry calls — yet a quick review found a global admin without MFA, legacy auth still enabled, short audit log retention, and Conditional Access not enforcing as expected.

Lesson: most breaches don’t start with alarms, they start with assumptions.

Audit Logs Global Admin Review

Episode: “The MFA Was On… Just Not Everywhere” MFA existed on paper, but not for legacy authentication, temporary exclusions, or forgotten service accounts. Sign-in logs showed password spray activity quietly probing the tenant.

Lesson: MFA doesn’t protect what it doesn’t cover.

Entra ID MFA Legacy Auth

Episode: “Just This One Exception” One temporary Conditional Access exclusion was added to help a user while travelling. It was never reviewed, never removed, and quietly weakened the tenant for months.

Lesson: most security failures start with well-intentioned shortcuts, not attackers.

Conditional Access MFA Zero Trust

Episode: Using Impossible Travel Sign-ins to Teach Real-World Security Skills A user account appeared to sign in successfully from Melbourne and then London within minutes. The login worked, but the geography told a very different story about identity risk.

Lesson: successful authentication does not always mean trusted access.

Entra ID Impossible Travel Identity Risk

Episode: Building Security Intuition with Sentinel Workbooks Security data was already flowing into the platform, but the real patterns stayed hidden until it was visualised properly. Once the noise became visible, the risks became much easier to understand.

Lesson: people act faster on security data when they can actually see the story it is telling.

Microsoft Sentinel Workbooks Visibility

Episode: AI Rollout… But the Guardrails Weren’t AI tools had been deployed to boost productivity, but access was too broad, governance was unclear, and no one had tested what happened when users got creative with prompts.

Lesson: AI is not set-and-forget. Unsecured AI behaves like a highly motivated internal user with broad access.

AI Security Governance Data Access

Episode: Your Organisation Might Soon Have AI Employees AI tools are starting to act more like users — accessing data, making decisions, and interacting across systems. But without clear governance, they can expose information faster than most organisations realise.

Lesson: AI should be treated like a user — with identity, access control, and monitoring.

AI Security Governance Data Access

Episode: Good Friday Cyber Briefing Most organisations already have the tools, but they still do not have the visibility. Azure is deployed, Microsoft 365 is in place, and logs are being collected, yet nobody is asking what the data is actually saying.

Lesson: security is not just configuration — it is interpretation.

Azure Sentinel Defender