Cyber Security • Real-world lessons • Agent Foskett

Agent Foskett Cyber Briefings

Agent Foskett is GEMXIT’s official cyber security briefing series, created to help organisations understand real Microsoft security signals, threat hunting patterns and practical defensive lessons. These briefings are based on real-world observations across Microsoft 365, Azure environments, identity security, phishing investigations, cloud misconfigurations, KQL threat hunting and emerging AI governance challenges. Each scenario highlights what actually happened, what was missed, and what organisations can do before small issues become serious incidents.

Want to know more about Agent Foskett? Learn more here →

Discuss your environment View security services

Explore more: Microsoft Security • Azure Security Melbourne

About the briefings

Agent Foskett briefings translate real technical observations into clear, practical lessons for organisations operating modern Microsoft environments. They focus on the kinds of issues that often go unnoticed until they become operational, security or governance risks.

Practical security observations

Real-world configuration lessons

Modern Microsoft security insights

Start here: Microsoft Defender KQL Threat Hunting Guide
Real Microsoft Defender, Sentinel and Entra ID queries used in practical investigations, including spoofed email, AuthenticationDetails, EmailEvents, URL clicks and suspicious sign-ins.

View the guide

Why organisations read these briefings

Short, practical insights that help organisations recognise common security risks before they become incidents.

Real security scenarios

Microsoft ecosystem insights

Practical defensive thinking

KQL threat hunting

Friday Cyber Briefings

A selection of real-world cyber security scenarios covering Microsoft 365, Azure infrastructure, identity protection, cloud exposure and emerging risks. Each briefing highlights the situation, the underlying issue and the lesson learned.

Episode: DMARC Failures Explained… with KQL The email looked legitimate… but DMARC told a different story. This guide breaks down real Microsoft Defender KQL queries using EmailEvents and AuthenticationDetails to uncover spoofing, sender misalignment and failed authentication signals.

Lesson: a “DMARC fail” is not always an attack — but it is always a signal worth investigating.

KQL DMARC Defender

Episode: Start Here: Microsoft Defender KQL Threat Hunting Guide The core Agent Foskett playbook. Real KQL queries used to detect spoofed email, authentication failures, suspicious sign-ins, URL clicks and hidden activity across Microsoft Defender, Sentinel and Entra ID.

Lesson: security isn’t only about alerts — it’s about asking the right questions of your data.

KQL Threat Hunting Microsoft Defender

Episode: Microsoft Defender KQL Threat Hunting (Complete Guide) The full Agent Foskett investigation playbook. Follow real-world attack paths across Microsoft Defender using KQL — from email spoofing and DMARC failures to URL clicks, identity pivots, endpoint behaviour and cloud activity.

Lesson: the alerts don’t tell the full story — the data does. Follow the behaviour, not just the signal.

KQL Threat Hunting Microsoft Defender Investigation

Episode: Detect Email Spoofing in Microsoft Defender Most spoofed emails don’t trigger alerts.

This is the full detection guide using real Microsoft Defender data — EmailEvents, AuthenticationDetails, DMARC failures, spoofed domains and user click activity.

👉 Built from real-world investigations where everything looked “normal”… until it wasn’t.

Lesson: attackers don’t always break in — sometimes they just look trusted. Your job is to prove they’re not.

Email Spoofing KQL Microsoft Defender DMARC

Episode: Detect DMARC Fail Emails in Microsoft Defender A focused Agent Foskett investigation into DMARC failures using EmailEvents and AuthenticationDetails. Learn how to find failed authentication, check delivery outcomes, and identify spoofing, misconfigured senders or suspicious email behaviour across your environment.

Lesson: DMARC fail doesn’t mean blocked — it means something doesn’t add up. Start there.

DMARC Email Security KQL Microsoft Defender

Episode: EmailEvents KQL Guide for Microsoft Defender A practical Agent Foskett guide to understanding EmailEvents in Microsoft Defender. Learn how to read sender fields, interpret AuthenticationDetails, analyse delivery outcomes, and move from suspicious emails to real investigation using KQL.

Lesson: EmailEvents doesn’t just show emails — it shows what actually happened.

EmailEvents KQL Microsoft Defender Email Investigation

Episode: The MFA Was Enabled… But the Attacker Still Got In A real-world Agent Foskett briefing showing how attackers can reuse authenticated sessions even when MFA is enabled, and why Microsoft 365 security needs more than just successful sign-in checks.

Lesson: MFA protects authentication — but session behaviour still needs to be monitored.

MFA Session Hijacking Microsoft 365 Security

Episode: DMARC Failed… But the Email Was Delivered The email looked legitimate. The sender felt familiar. No alert was triggered.

But behind the scenes, DMARC had failed — and the message was still delivered.

No block. No warning. Just a trusted email that shouldn’t have been trusted.

Lesson: A delivered email isn’t always a safe email — authentication failures still need investigation.

DMARC Email Spoofing Microsoft Defender

Episode: AuthenticationDetails Explained The email passed. The system allowed it. Everything looked fine.

But the authentication didn’t align — DMARC failed, signals conflicted, and the evidence told a different story.

This investigation shows how to read SPF, DKIM, DMARC and CompAuth in Microsoft Defender using KQL.

Lesson: Passed authentication doesn’t always mean trusted — interpretation is where real detection begins.

AuthenticationDetails KQL Microsoft Defender

Episode: SenderFrom vs SenderMailFrom The email looked legitimate. The sender matched what the user expected.

But behind the scenes, the domains didn’t align — what was shown and what was processed were not the same.

This investigation explains how to detect sender mismatch using EmailEvents and why it matters for spoofing detection.

Lesson: What the user sees isn’t always what the system processed — mismatched domains are where spoofing begins.

EmailEvents Sender Mismatch Microsoft Defender

Episode: The After-Hours Download Nobody Questioned The login looked normal. The account was valid. MFA had already passed.

But late at night, files started moving — dozens of downloads from SharePoint that didn’t match the user, the role, or the time.

No alert triggered. Because technically… everything was allowed.

Lesson: Allowed access doesn’t mean safe behaviour — context, timing and volume matter.

SharePoint Data Access Behaviour Analysis

Episode: “Detect Email Spoofing in Microsoft 365 with KQL” A practical Agent Foskett briefing using EmailEvents, AuthenticationDetails and KQL to detect spoofed email, failed sender authentication, internal-looking messages and suspicious delivery patterns.

Lesson: if the message looks trusted but the authentication story fails, the real question is what happened next.

Email Security KQL Microsoft 365

Episode: AI Rollout… But the Guardrails Weren’t AI tools had been deployed to boost productivity, but access was too broad, governance was unclear, and no one had tested what happened when users got creative with prompts.

Lesson: AI is not set-and-forget. Unsecured AI behaves like a highly motivated internal user with broad access.

AI Security Governance Data Access

Episode: Azure Looked Healthy… Until One VM Failed An Azure finance environment looked fine until a critical VM failed. Backup was failing silently, no restore testing had been done, no ASR existed, and RDP was still exposed to the internet.

Lesson: cloud does not automatically make systems resilient — resilience still has to be engineered.

Azure Backup Resilience

Episode: Building Security Intuition with Sentinel Workbooks Security data was already flowing into the platform, but the real patterns stayed hidden until it was visualised properly. Once the noise became visible, the risks became much easier to understand.

Lesson: people act faster on security data when they can actually see the story it is telling.

Microsoft Sentinel Workbooks Visibility

Episode: Good Friday Cyber Briefing Most organisations already have the tools, but they still do not have the visibility. Azure is deployed, Microsoft 365 is in place, and logs are being collected, yet nobody is asking what the data is actually saying.

Lesson: security is not just configuration — it is interpretation.

Azure Sentinel Defender

Episode: “Just This One Exception” One temporary Conditional Access exclusion was added to help a user while travelling. It was never reviewed, never removed, and quietly weakened the tenant for months.

Lesson: most security failures start with well-intentioned shortcuts, not attackers.

Conditional Access MFA Zero Trust

Episode: The Logs Already Knew No high severity alerts. No incidents. No panic. Just one successful sign-in that looked valid on paper, until Sentinel, Defender and Entra ID exposed impossible travel, token reuse and a stolen session moving quietly.

Lesson: the danger is not always the alert you missed — it is the pattern you never looked for.

KQL Sentinel Entra ID

Episode: “The MFA Was On… Just Not Everywhere” MFA existed on paper, but not for legacy authentication, temporary exclusions, or forgotten service accounts. Sign-in logs showed password spray activity quietly probing the tenant.

Lesson: MFA doesn’t protect what it doesn’t cover.

Entra ID MFA Legacy Auth

Episode: “The Missing Click” Everything looked configured correctly in Microsoft 365, yet phishing emails kept getting through. The issue wasn’t a sophisticated attack — it was a transport rule that existed, but was never actually enabled.

Lesson: a security control that exists but isn’t enabled is effectively no control at all.

Microsoft 365 Exchange Online Phishing

Episode: The RDP Port Was Open… And Everyone Could See It A public-facing RDP service looked harmless until logs revealed global connection attempts and constant probing. Nothing had “happened” yet, but the internet had already noticed it.

Lesson: exposed services are discovered faster than most organisations realise.

RDP Exposure Azure Security

Episode: Public Storage. No Authentication. A storage configuration looked convenient for sharing, but public access left data exposed without meaningful control. The setting was small. The impact could have been huge.

Lesson: one misconfigured storage setting can undo a lot of good security work.

Azure Storage Public Access Data Exposure

Episode: Using Impossible Travel Sign-ins to Teach Real-World Security Skills A user account appeared to sign in successfully from Melbourne and then London within minutes. The login worked, but the geography told a very different story about identity risk.

Lesson: successful authentication does not always mean trusted access.

Entra ID Impossible Travel Identity Risk

Episode: “When Nothing Looks Wrong” No alerts, no outages, no angry calls — yet a quick review found a global admin without MFA, legacy auth still enabled, short audit log retention, and Conditional Access not enforcing as expected.

Lesson: most breaches don’t start with alarms, they start with assumptions.

Audit Logs Global Admin Review

Episode: Your Organisation Might Soon Have AI Employees AI tools are starting to act more like users — accessing data, making decisions, and interacting across systems. But without clear governance, they can expose information faster than most organisations realise.

Lesson: AI should be treated like a user — with identity, access control, and monitoring.

AI Security Governance Data Access

Episode: “The Alert Wasn’t Understood” A low-confidence Defender alert showed suspicious PowerShell activity. No action taken. But when correlated across process, network and identity logs, it revealed a coordinated chain.

Lesson: the danger isn’t always the alert — it’s failing to understand what it means.

Defender Sentinel KQL

Episode: “The Email Came From Me” An email appeared to come from the same address it was sent to. No breach, no login, no compromise — just identity spoofing exploiting weak email trust enforcement.

Lesson: if DMARC isn’t enforced, you don’t control your identity — attackers do.

Email Security DMARC Phishing

Episode: “We Won $7,146,325.16…” — The Crypto Scam That Didn’t Need Your Password The email looked exciting. The reward looked real. No malware, no exploit — just a message designed to make the user act.

This Agent Foskett briefing shows how modern scams use wallet connections, approval prompts and external channels to bypass traditional security controls.

Lesson: attackers don’t always break in — sometimes they convince you to let them in.

Email Security Phishing Social Engineering Microsoft Defender

How to use these briefings

These are not theoretical write-ups. They are practical signals to compare against your own environment.

Look for familiar patterns Many environments have the same quiet weaknesses: a disabled rule, a forgotten exception, an exposed cloud resource, or an identity control that is only partially applied.

Turn observations into action The point of these briefings is not alarm. It is awareness. Small observations often become practical fixes, and practical fixes are what strengthen resilience.

Use them as a review lens If a scenario feels familiar, it is worth checking whether the same condition exists in your own tenant, cloud estate or security processes before attackers discover it first.

Looking for a practical security review?
GEMXIT helps organisations assess Microsoft 365, Azure and identity security to identify risks, strengthen controls and improve resilience.

Request a Security Review Contact GEMXIT

Agent Foskett Cyber Briefings

About the briefings

Why organisations read these briefings

Friday Cyber Briefings

How to use these briefings

Agent Foskett Cyber Security Briefings by GEMXIT