Agent Foskett Academy • Lesson 66 • Email Investigation

Investigating CompositeAuthentication in Microsoft Defender XDR.

SPF passed.

DKIM passed.

DMARC looked aligned.

Yet Microsoft still treated the message as suspicious.

Agent Foskett traced the answer to CompositeAuthentication.

In Microsoft Defender XDR, CompositeAuthentication helps defenders understand Microsoft's overall authentication verdict across SPF, DKIM, DMARC, alignment and sender trust signals.

Agent Foskett Academy lesson explaining CompositeAuthentication in Microsoft Defender XDR
Lesson overview

Learn how to investigate CompositeAuthentication in EmailEvents and connect Microsoft’s overall authentication verdict to sender identity, message handling and threat classification.

Review CompositeAuthentication results
Compare SPF, DKIM, DMARC and alignment context
Investigate spoofing and authentication anomalies
Connect authentication verdicts to delivery outcomes

Why CompositeAuthentication matters

CompositeAuthentication helps explain Microsoft’s overall trust decision when individual authentication checks do not tell the full story.
It gives the overall verdictSPF, DKIM and DMARC are individual signals. CompositeAuthentication helps show how Microsoft assessed the message as a whole.
It supports spoofing investigationsA failed or unexpected composite result can help defenders investigate impersonation, forwarding, alignment and domain trust issues.
It explains confusing outcomesA message may pass one check but still be suspicious when Microsoft combines authentication and sender trust signals.

The fields used in this lesson

CompositeAuthenticationMicrosoft’s combined authentication verdict for the email message.
AuthenticationDetailsDetailed SPF, DKIM, DMARC and authentication evidence associated with the message.
SenderFromDomainThe visible sender domain shown to recipients.
SenderMailFromDomainThe SMTP Mail From domain used during delivery and often evaluated during SPF checks.
DeliveryActionWhat Microsoft 365 did with the message during delivery.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review CompositeAuthentication activity

Start by reviewing recent messages where Defender recorded a CompositeAuthentication result.
review-compositeauthentication.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          SenderMailFromDomain,
          CompositeAuthentication,
          AuthenticationDetails,
          Subject
| order by Timestamp desc

Step 2 — Summarise CompositeAuthentication results

Summarising the verdicts helps defenders understand common authentication outcomes across the tenant.
summarise-compositeauthentication.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| summarize MessageCount = count() by CompositeAuthentication
| order by MessageCount desc

Step 3 — Find failed CompositeAuthentication results

Failed composite authentication can indicate spoofing, alignment issues, forwarding problems or suspicious sender behaviour.
failed-compositeauthentication.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where CompositeAuthentication contains "fail"
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          SenderMailFromDomain,
          CompositeAuthentication,
          AuthenticationDetails,
          Subject
| order by Timestamp desc

Step 4 — Compare visible and SMTP domains

CompositeAuthentication becomes more useful when reviewed with visible sender and Mail From domain evidence.
compositeauthentication-domain-comparison.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| summarize MessageCount = count()
          by SenderFromDomain,
             SenderMailFromDomain,
             CompositeAuthentication
| order by MessageCount desc

Step 5 — Compare authentication verdicts with delivery outcomes

This helps explain whether messages were delivered, quarantined, blocked or placed somewhere unexpected.
compositeauthentication-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| summarize MessageCount = count()
          by CompositeAuthentication,
             DeliveryAction,
             DeliveryLocation
| order by MessageCount desc

Step 6 — Review suspicious messages with authentication evidence

CompositeAuthentication is most useful when correlated with ThreatTypes, AuthenticationDetails and delivery evidence.
compositeauthentication-threats.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(CompositeAuthentication)
| where isnotempty(ThreatTypes) or CompositeAuthentication contains "fail"
| project Timestamp,
          SenderFromAddress,
          ThreatTypes,
          CompositeAuthentication,
          AuthenticationDetails,
          DeliveryAction,
          Subject
| order by Timestamp desc

How to read the results

CompositeAuthentication is an authentication verdict. It should be interpreted with sender identity, authentication details and delivery context.
Pass does not always mean safePassing authentication helps, but defenders should still review sender reputation, content, URLs, attachments and user reports.
Fail needs investigationA failed composite result can point to spoofing, misalignment, forwarding, relay issues or malicious sender infrastructure.
Context is essentialReview CompositeAuthentication with AuthenticationDetails, SenderFromDomain, SenderMailFromDomain, ThreatTypes and DeliveryAction.

Common investigation uses

Spoofing investigationsReview whether Microsoft trusted the sender identity presented in the message.
DMARC troubleshootingCompare composite verdicts with SPF, DKIM, DMARC and domain alignment evidence.
Phishing investigationsUnderstand whether suspicious messages passed authentication or failed Microsoft’s broader trust assessment.
Mail flow validationConfirm whether legitimate senders are authenticating correctly and being handled as expected.

Common mistakes

Looking only at SPFSPF is only one authentication signal. CompositeAuthentication helps show Microsoft’s combined assessment.
Ignoring alignmentDMARC and composite verdicts often depend on whether sender identities align correctly.
Treating pass as final proofAuthentication success does not prove the message is harmless. It only explains part of the trust decision.

What you learned

CompositeAuthentication is the overall verdictIt helps defenders understand Microsoft’s combined email authentication assessment.
Authentication signals must be comparedSPF, DKIM, DMARC, SenderFromDomain and SenderMailFromDomain should be reviewed together.
Delivery context mattersCompositeAuthentication becomes more valuable when connected to DeliveryAction, DeliveryLocation and ThreatTypes.

Related Agent Foskett Academy lessons

Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and authentication detail evidence.
Investigating SenderMailFromDomainUnderstand the SMTP domain used during message delivery.
Investigating SenderMailFromAddressReview the SMTP Mail From address behind the email.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message.
Investigating EmailDirectionDetermine whether messages were inbound, outbound or internal.

Coming next

Lesson 67 — Investigating RecipientEmailAddress in Microsoft Defender XDR Next, Agent Foskett Academy will explain how defenders use RecipientEmailAddress to identify who received suspicious messages, determine phishing campaign reach and investigate email distribution activity across Microsoft 365.
Why this matters CompositeAuthentication explains trust. RecipientEmailAddress helps defenders understand exactly who received a suspicious message and how far an email campaign spread throughout the organisation.

Final thought

SPF, DKIM and DMARC are important. CompositeAuthentication helps explain how Microsoft interpreted the message as a whole.
Agent Foskett mindsetDo not stop at one authentication check. Read the full authentication verdict and compare it with the rest of the evidence.
Read the verdictCompositeAuthentication turns individual authentication signals into a broader trust decision.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating CompositeAuthentication in Microsoft Defender XDR

Agent Foskett Academy Lesson 66 teaches defenders how to investigate CompositeAuthentication during Microsoft Defender XDR email investigations.

Learn CompositeAuthentication investigation in Defender XDR

This lesson explains how CompositeAuthentication, AuthenticationDetails, SPF, DKIM, DMARC, SenderFromDomain, SenderMailFromDomain, ThreatTypes and DeliveryAction help defenders understand Microsoft’s overall email authentication verdict.