Agent Foskett Academy • Lesson 69 • Email Investigation

Investigating SenderDisplayName in Microsoft Defender XDR.

The email looked familiar.

The display name said Microsoft Security Team.

The address told a different story.

Agent Foskett needed to understand what users actually saw before they trusted the message.

The answer was hidden inside SenderDisplayName.

In Microsoft Defender XDR, SenderDisplayName helps defenders investigate display-name impersonation, executive spoofing, business email compromise and deceptive sender identities.

Agent Foskett Academy lesson explaining SenderDisplayName in Microsoft Defender XDR
Lesson overview

Learn how to investigate SenderDisplayName in EmailEvents and compare the friendly sender name with the actual sender address, sender domain, authentication evidence and threat classification.

Review display names shown to users
Identify display-name impersonation
Compare names with sender addresses and domains
Connect deceptive names to threats and delivery outcomes

Why SenderDisplayName matters

SenderDisplayName shows the friendly name presented to recipients. Attackers often abuse trusted-looking names even when the underlying sender address belongs somewhere else.
It shows what users sawSenderDisplayName helps defenders understand the name displayed to the recipient before the email address is inspected.
It supports impersonation analysisAttackers often use display names such as Microsoft Support, Payroll, Human Resources, Finance or a senior executive to create trust.
It needs sender contextSenderDisplayName becomes more useful when compared with SenderFromAddress, SenderFromDomain, SenderMailFromAddress and authentication evidence.

The fields used in this lesson

SenderDisplayNameThe friendly sender name displayed to recipients in the message.
SenderFromAddressThe visible sender address shown to recipients.
SenderFromDomainThe visible sender domain presented to the recipient.
SenderMailFromAddressThe SMTP Mail From address used during message delivery.
AuthenticationDetailsDetailed SPF, DKIM, DMARC and authentication evidence associated with the message.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review SenderDisplayName activity

Start by reviewing recent messages where Defender recorded a sender display name.
review-senderdisplayname.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| project Timestamp,
          SenderDisplayName,
          SenderFromAddress,
          SenderFromDomain,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Count messages by display name

Summarising by SenderDisplayName helps identify names most commonly presented to users.
senderdisplayname-message-counts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| summarize MessageCount = count() by SenderDisplayName
| order by MessageCount desc

Step 3 — Hunt common impersonation names

Search for display names commonly abused in phishing, business email compromise and fake support messages.
senderdisplayname-common-impersonation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where SenderDisplayName has_any (
    "Microsoft", "Microsoft Security", "IT Support", "Help Desk",
    "Payroll", "Human Resources", "Finance", "CEO"
)
| project Timestamp,
          SenderDisplayName,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 4 — Compare display name with sender domain

A trusted-looking display name should be compared against the sender address and domain to identify suspicious mismatches.
senderdisplayname-domain-comparison.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| project Timestamp,
          SenderDisplayName,
          SenderFromAddress,
          SenderFromDomain,
          SenderMailFromDomain,
          Subject
| order by Timestamp desc

Step 5 — Review threats by display name

Group suspicious messages by display name to identify repeated impersonation patterns.
senderdisplayname-threats.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderDisplayName)
| where isnotempty(ThreatTypes)
| summarize ThreatCount = count()
          by SenderDisplayName,
             ThreatTypes
| order by ThreatCount desc

Step 6 — Investigate display-name impersonation of an internal person

When an executive or staff member is impersonated, compare the display name with trusted internal domains.
senderdisplayname-internal-impersonation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where SenderDisplayName contains "Jonathan Foskett"
| where SenderFromAddress !endswith "@gemxit.au"
| project Timestamp,
          SenderDisplayName,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

How to read the results

SenderDisplayName is user-perception evidence. It should be interpreted with sender address, sender domain, authentication and delivery context.
A trusted name is not proofA familiar display name can be typed by an attacker. Validate it against sender address, sender domain and authentication results.
Display-name abuse is social engineeringThe name shown to the user can explain why a phishing email felt legitimate even when the address was suspicious.
Threat and delivery evidence mattersAlways compare SenderDisplayName with ThreatTypes, DeliveryAction, AuthenticationDetails and CompositeAuthentication.

Common investigation uses

Executive impersonationIdentify messages where attackers use a senior leader's name to pressure staff into action.
Business email compromiseReview finance, payroll and vendor-themed display names used in payment redirection or invoice fraud attempts.
Fake Microsoft notificationsInvestigate messages that use names such as Microsoft Support, Microsoft Security or IT Help Desk.
User trust analysisUnderstand what the recipient saw and why the message may have appeared legitimate.

Common mistakes

Trusting the friendly nameSenderDisplayName is not authentication. It is a display value and must be validated against the real sender evidence.
Ignoring the sender addressA legitimate-looking name can sit beside an unrelated sender address or domain.
Skipping internal impersonation checksIf a staff member or executive name appears, confirm whether the sending address belongs to the organisation.

What you learned

SenderDisplayName shows the friendly nameIt identifies the sender name displayed to recipients in the email client.
Display names need validationCompare SenderDisplayName with SenderFromAddress, SenderFromDomain, SenderMailFromAddress and authentication evidence.
SenderDisplayName supports phishing analysisIt helps explain display-name impersonation, executive spoofing, BEC attempts and suspicious sender presentation.

Related Agent Foskett Academy lessons

Investigating SenderFromDomainReview the visible sender domain presented to recipients.
Investigating SenderMailFromAddressReview the SMTP Mail From address behind the email.
Investigating SenderMailFromDomainUnderstand the SMTP domain used during message delivery.
Investigating RecipientEmailAddressIdentify affected mailboxes and campaign reach.
Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and authentication detail evidence.
Investigating CompositeAuthenticationUnderstand Microsoft’s overall authentication verdict.

Coming next

Lesson 70 — Investigating Subject in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use Subject to identify phishing lures, campaign themes, invoice fraud, credential-harvesting attempts and repeated email patterns.
Why this mattersSenderDisplayName shows the friendly identity users saw. Subject helps explain the lure that tried to make them act.

Final thought

The display name is often the first thing a user trusts. SenderDisplayName helps defenders investigate that trust decision.
Agent Foskett mindsetDo not trust the friendly name. Compare what users saw with what the logs prove.
Check the human-facing identitySenderDisplayName helps reveal how the attacker tried to look familiar or authoritative.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderDisplayName in Microsoft Defender XDR

Agent Foskett Academy Lesson 69 teaches defenders how to investigate SenderDisplayName during Microsoft Defender XDR email investigations.

Learn SenderDisplayName investigation in Defender XDR

This lesson explains how SenderDisplayName, SenderFromAddress, SenderFromDomain, SenderMailFromAddress, AuthenticationDetails, CompositeAuthentication, DeliveryAction and ThreatTypes help defenders identify display-name impersonation, executive spoofing, BEC attempts and suspicious sender identities.