Investigating EmailAuthenticationResults in Microsoft Defender XDR.
The sender looked trusted.
The display name looked familiar.
The message reached the mailbox.
But the authentication evidence needed a closer look.
EmailAuthenticationResults helps defenders understand what SPF, DKIM, DMARC and composite authentication really said about the message.
Lesson overview
Learn how EmailAuthenticationResults supports Microsoft Defender XDR email investigations by exposing SPF, DKIM, DMARC and composite authentication evidence.
What EmailAuthenticationResults is
Why this field matters
Fields to review with EmailAuthenticationResults
Step 1 — Start with recent email authentication evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
EmailEvents
| where Timestamp > ago(30d)
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
SenderFromDomain,
SenderMailFromDomain,
RecipientEmailAddress,
Subject,
DeliveryAction,
EmailAuthenticationResults,
AuthenticationDetails
| order by Timestamp desc
Step 2 — Find DMARC failures
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
EmailEvents
| where Timestamp > ago(30d)
| where EmailAuthenticationResults has "dmarc=fail"
or AuthenticationDetails has "dmarc=fail"
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
EmailAuthenticationResults,
AuthenticationDetails
| order by Timestamp desc
Step 3 — Compare visible sender and envelope sender
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 14
- 15
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain != SenderMailFromDomain
| project Timestamp,
SenderFromAddress,
SenderMailFromAddress,
SenderFromDomain,
SenderMailFromDomain,
Subject,
DeliveryAction,
EmailAuthenticationResults
| order by Timestamp desc
Step 4 — Review messages that passed but still look suspicious
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(30d)
| where EmailAuthenticationResults has "dmarc=pass"
| where Subject has_any ("invoice", "payment", "password", "verify", "account")
| project Timestamp,
SenderFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
ThreatTypes,
EmailAuthenticationResults
| order by Timestamp desc
Step 5 — Connect authentication to the message trail
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let MessageId = "<NetworkMessageId>";
EmailEvents
| where NetworkMessageId == MessageId
| project Timestamp,
NetworkMessageId,
SenderFromAddress,
SenderMailFromAddress,
Subject,
DeliveryAction,
EmailAuthenticationResults,
AuthenticationDetails
