Investigating SenderDisplayName in Microsoft Defender XDR.
The email looked familiar.
The display name said Microsoft Security Team.
The address told a different story.
Agent Foskett needed to understand what users actually saw before they trusted the message.
The answer was hidden inside SenderDisplayName.
In Microsoft Defender XDR, SenderDisplayName helps defenders investigate display-name impersonation, executive spoofing, business email compromise and deceptive sender identities.
Lesson overview
Learn how to investigate SenderDisplayName in EmailEvents and compare the friendly sender name with the actual sender address, sender domain, authentication evidence and threat classification.
Why SenderDisplayName matters
The fields used in this lesson
Step 1 — Review SenderDisplayName activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| project Timestamp,
SenderDisplayName,
SenderFromAddress,
SenderFromDomain,
RecipientEmailAddress,
Subject
| order by Timestamp desc
Step 2 — Count messages by display name
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(30d) | where isnotempty(SenderDisplayName) | summarize MessageCount = count() by SenderDisplayName | order by MessageCount desc
Step 3 — Hunt common impersonation names
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(30d)
| where SenderDisplayName has_any (
"Microsoft", "Microsoft Security", "IT Support", "Help Desk",
"Payroll", "Human Resources", "Finance", "CEO"
)
| project Timestamp,
SenderDisplayName,
SenderFromAddress,
RecipientEmailAddress,
Subject
| order by Timestamp desc
Step 4 — Compare display name with sender domain
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| project Timestamp,
SenderDisplayName,
SenderFromAddress,
SenderFromDomain,
SenderMailFromDomain,
Subject
| order by Timestamp desc
Step 5 — Review threats by display name
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| where isnotempty(ThreatTypes)
| summarize ThreatCount = count()
by SenderDisplayName,
ThreatTypes
| order by ThreatCount desc
Step 6 — Investigate display-name impersonation of an internal person
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
EmailEvents
| where Timestamp > ago(30d)
| where SenderDisplayName contains "Jonathan Foskett"
| where SenderFromAddress !endswith "@gemxit.au"
| project Timestamp,
SenderDisplayName,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ThreatTypes,
DeliveryAction
| order by Timestamp desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating SenderDisplayName in Microsoft Defender XDR
Agent Foskett Academy Lesson 69 teaches defenders how to investigate SenderDisplayName during Microsoft Defender XDR email investigations.
Learn SenderDisplayName investigation in Defender XDR
This lesson explains how SenderDisplayName, SenderFromAddress, SenderFromDomain, SenderMailFromAddress, AuthenticationDetails, CompositeAuthentication, DeliveryAction and ThreatTypes help defenders identify display-name impersonation, executive spoofing, BEC attempts and suspicious sender identities.
