ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • SigninLogs • Impossible Travel Investigation

The Impossible Travel Alert Was Real… But It Wasn’t the User

The alert looked routine.

Sydney… then Singapore only minutes later.

Most teams assumed VPN activity.

But the telemetry told a different story. The device changed. The browser changed. The MFA pattern changed.

The sign-in came through infrastructure the user had never used before.

This Agent Foskett investigation explores how defenders can investigate impossible travel alerts using Microsoft Entra ID, Microsoft Defender XDR, SigninLogs, Conditional Access telemetry and KQL hunting.

The alert looked normal.

The logs already knew it wasn’t the user.

Discuss identity and sign-in investigation investigations Back to Investigation Hub
Agent Foskett investigates Impossible Travel inside Microsoft Defender XDR SigninLogs telemetry
Briefing summary

Impossible Travel can help defenders understand whether IP correlation, device analysis and impossible travel telemetry and other authentication signals really supported the sender identity users saw in the inbox.

Review Impossible Travel
Compare AuthenticationDetails
Hunt SPF, DKIM and DMARC anomalies
🚨 The sign-in passed enough checks to feel trusted.
But “trusted enough” is not the same as safe. Impossible Travel helps defenders inspect the authentication story behind the message.
Book a security review →

What is Impossible Travel?

Impossible Travel is a Microsoft Defender XDR SigninLogs field that can help defenders understand how identity and sign-in investigation checks were interpreted. It may include authentication signals related to IP correlation, device analysis and impossible travel telemetry and other sender trust decisions.
The sender looked trustedThe visible sender may appear familiar, but defenders need to verify what the authentication telemetry actually proved.
The checks may be mixedSPF, DKIM and DMARC can tell different parts of the story. One pass does not automatically mean the whole sign-in is safe.
The investigation needs contextImpossible Travel should be reviewed alongside AuthenticationDetails, SpoofedDomain, DeliveryAction, ThreatTypes and user activity.

Why defenders miss it

Email authentication can be misunderstood because the inbox experience is simple, while the authentication chain is not. A message can look normal to the user while the telemetry contains subtle clues worth investigating.
The display name looked rightUsers trust names, logos and familiar language. Attackers know this and build sign-ins around visual trust.
The delivery succeededSuccessful delivery does not prove the sender was safe. It only proves the sign-in reached the mailbox.
The signal was buriedThe best clue may not be a loud alert. It may be a field value sitting quietly inside SigninLogs.

First hunt: review Impossible Travel

Start by reviewing messages where Impossible Travel contains useful authentication data. This gives defenders visibility into the authentication story behind the message.
sign-inauthenticationresults-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
SigninLogs
| where Timestamp > ago(7d)
| where Impossible Travel != ""
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          Impossible Travel,
          AuthenticationDetails,
          SpoofedDomain,
          DeliveryAction
| order by Timestamp desc
What to reviewLook at sender, recipient, subject, Impossible Travel, AuthenticationDetails, SpoofedDomain and delivery action.
Why it mattersThis field can reveal the difference between what the user saw and what the system authenticated.
Best next pivotPivot into DMARC failures, SpoofedDomain values, UrlClickEvents and suspicious post-delivery activity.

How Impossible Travel relates to AuthenticationDetails

Impossible Travel and AuthenticationDetails should be read together. One field may show the authentication result summary, while the other can expose more detail about IP correlation, device analysis and impossible travel telemetry and composite authentication behaviour.
SPF can be misleadingSPF may pass for the envelope sender while the visible From identity still deserves further review.
DKIM can reveal signing gapsDKIM failures or unexpected signing domains can help defenders identify sender alignment issues.
DMARC ties it togetherDMARC alignment can reveal whether the authenticated sender matched the identity the user saw.

Second hunt: DMARC failures and authentication anomalies

DMARC failures are not always malicious, but they are always worth understanding. Combine Impossible Travel with AuthenticationDetails to investigate why authentication did not align.
sign-inauthenticationresults-dmarc-fail.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
SigninLogs
| where Timestamp > ago(7d)
| where AuthenticationDetails has "dmarc=fail"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          Impossible Travel,
          AuthenticationDetails,
          SpoofedDomain,
          ThreatTypes
| order by Timestamp desc

Third hunt: follow user clicks after suspicious delivery

Authentication anomalies become more important when the user interacts with the message. After reviewing SigninLogs, pivot into UrlClickEvents to identify whether the recipient clicked a link after suspicious delivery.
url-clicks-after-authentication-anomaly.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          ThreatTypes,
          NetworkMessageId
| order by Timestamp desc

What Impossible Travel does not automatically mean

Impossible Travel is evidence, not the verdict. It helps defenders understand authentication behaviour, but the message still needs surrounding context before deciding whether it is malicious, misconfigured or benign.
Third-party mail can complicate resultsSaaS platforms, marketing systems and ticketing tools often send on behalf of domains and may require proper SPF, DKIM and DMARC alignment.
Forwarding can change the storyForwarders, relays, hybrid mail systems and security gateways can affect authentication results and require careful interpretation.
Misconfiguration is commonAuthentication anomalies may indicate configuration drift rather than a confirmed attack, but they still create risk.

Where defenders get caught

Email authentication investigations fail when teams assume one passing result means the whole message is safe. Strong investigations compare the visible sender, authentication details, delivery action and what the user did next.
They trust a single passSPF passing does not automatically prove the message was safe or aligned with the visible sender.
They ignore alignmentThe real question is whether the authenticated sender matched the sender identity the user saw.
They stop before the clickIf the sign-in was delivered and clicked, the investigation must continue into URL clicks, sign-ins and mailbox behaviour.

How GEMXIT approaches this type of investigation

At GEMXIT, we treat Impossible Travel as one part of the wider sign-in investigation story. We review authentication results, sender alignment, delivery outcome, threat signals and user interaction together.
We compare sender fieldsSenderFromAddress, SenderMailFromAddress, domains, display names and authentication results all help explain the real sender story.
We correlate user behaviourDelivery alone is not the full incident. URL clicks, mailbox access and sign-in activity help reveal whether the user interacted with the threat.
We improve authentication controlsResponse may include SPF cleanup, DKIM signing, DMARC enforcement, sender alignment review, Defender tuning and user education.
The authentication looked fine. The investigation still needed proof.
GEMXIT helps organisations investigate Impossible Travel, AuthenticationDetails, DMARC failures, SpoofedDomain, Defender XDR telemetry and practical KQL hunting workflows.
Contact GEMXIT

Final thought

The inbox looked normal.

The sender looked trusted.

The sign-in passed through the environment quietly.

But the telemetry already knew something deserved a second look.

The real investigation started with one field:

Impossible Travel.
At GEMXITWe help organisations investigate Microsoft Defender XDR, identity and sign-in investigation anomalies, DMARC failures, suspicious delivery, URL clicks and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Did the sign-in pass authentication?”

It is: “What exactly passed — and what quietly failed?”

Continue the investigation with SpoofedDomain in SigninLogs, KQL Email Spoofing, Detect DMARC Fail Emails in Microsoft Defender, SigninLogs KQL Guide, AuthenticationDetails Explained, The Email Passed SPF But Was Still Malicious, SpoofedDomain and SigninLogs in Microsoft Defender, Microsoft Defender KQL Threat Hunting Guide, Microsoft Security and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The Impossible Travel Alert Was Real… But It Wasn’t the User

This Agent Foskett briefing explains what Impossible Travel means inside Microsoft Defender XDR SigninLogs and how defenders can use it during identity and sign-in investigation and phishing investigations.

Microsoft Defender XDR SigninLogs Impossible Travel Investigation

GEMXIT helps organisations investigate Impossible Travel, SigninLogs, AuthenticationDetails, SpoofedDomain, DMARC failures, SPF, DKIM, suspicious delivery and user click activity.

AuthenticationDetails, DMARC Failures and KQL Hunting

Defenders should compare Impossible Travel with AuthenticationDetails, IP correlation, device analysis and impossible travel telemetry, sender fields, delivery actions and UrlClickEvents to understand whether an sign-in was trusted, misconfigured, spoofed or malicious.