Investigating CompositeAuthentication in Microsoft Defender XDR.
SPF passed.
DKIM passed.
DMARC looked aligned.
Yet Microsoft still treated the message as suspicious.
Agent Foskett traced the answer to CompositeAuthentication.
In Microsoft Defender XDR, CompositeAuthentication helps defenders understand Microsoft's overall authentication verdict across SPF, DKIM, DMARC, alignment and sender trust signals.
Lesson overview
Learn how to investigate CompositeAuthentication in EmailEvents and connect Microsoft’s overall authentication verdict to sender identity, message handling and threat classification.
Why CompositeAuthentication matters
The fields used in this lesson
Step 1 — Review CompositeAuthentication activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| project Timestamp,
SenderFromAddress,
SenderFromDomain,
SenderMailFromDomain,
CompositeAuthentication,
AuthenticationDetails,
Subject
| order by Timestamp desc
Step 2 — Summarise CompositeAuthentication results
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(30d) | where isnotempty(CompositeAuthentication) | summarize MessageCount = count() by CompositeAuthentication | order by MessageCount desc
Step 3 — Find failed CompositeAuthentication results
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
EmailEvents
| where Timestamp > ago(30d)
| where CompositeAuthentication contains "fail"
| project Timestamp,
SenderFromAddress,
SenderFromDomain,
SenderMailFromDomain,
CompositeAuthentication,
AuthenticationDetails,
Subject
| order by Timestamp desc
Step 4 — Compare visible and SMTP domains
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| summarize MessageCount = count()
by SenderFromDomain,
SenderMailFromDomain,
CompositeAuthentication
| order by MessageCount desc
Step 5 — Compare authentication verdicts with delivery outcomes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| summarize MessageCount = count()
by CompositeAuthentication,
DeliveryAction,
DeliveryLocation
| order by MessageCount desc
Step 6 — Review suspicious messages with authentication evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| where isnotempty(ThreatTypes) or CompositeAuthentication contains "fail"
| project Timestamp,
SenderFromAddress,
ThreatTypes,
CompositeAuthentication,
AuthenticationDetails,
DeliveryAction,
Subject
| order by Timestamp desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating CompositeAuthentication in Microsoft Defender XDR
Agent Foskett Academy Lesson 66 teaches defenders how to investigate CompositeAuthentication during Microsoft Defender XDR email investigations.
Learn CompositeAuthentication investigation in Defender XDR
This lesson explains how CompositeAuthentication, AuthenticationDetails, SPF, DKIM, DMARC, SenderFromDomain, SenderMailFromDomain, ThreatTypes and DeliveryAction help defenders understand Microsoft’s overall email authentication verdict.
