Agent Foskett Academy • Lesson 68 • Email Investigation

Investigating SenderFromDomain in Microsoft Defender XDR.

The email looked legitimate.

The sender appeared to be from a trusted company.

Yet something about the domain did not feel right.

Agent Foskett needed to determine what domain recipients were actually shown.

The answer was hidden inside SenderFromDomain.

In Microsoft Defender XDR, SenderFromDomain helps defenders investigate the visible sender domain presented to recipients, making it easier to identify impersonation, spoofing and suspicious email activity.

Agent Foskett Academy lesson explaining SenderFromDomain in Microsoft Defender XDR
Lesson overview

Learn how to investigate SenderFromDomain in EmailEvents and compare visible sender domains with SMTP sender evidence, authentication outcomes and threat classifications.

Review visible sender domains
Identify impersonation attempts
Compare From and Mail From domains
Connect sender domains to threats and delivery outcomes

Why SenderFromDomain matters

SenderFromDomain shows the visible sender domain presented to recipients. It is one of the first fields defenders should review when investigating impersonation, spoofing and suspicious email activity.
It shows the visible domainSenderFromDomain helps defenders understand which domain users saw in the From address.
It supports impersonation analysisAttackers often abuse trusted-looking domains, lookalike domains or compromised sender identities to gain user trust.
It needs authentication contextSenderFromDomain becomes more powerful when compared with SenderMailFromDomain, AuthenticationDetails and CompositeAuthentication.

The fields used in this lesson

SenderFromDomainThe visible sender domain presented to recipients in the From address.
SenderFromAddressThe visible sender address shown to recipients.
SenderMailFromDomainThe SMTP Mail From domain used during message delivery.
AuthenticationDetailsDetailed SPF, DKIM, DMARC and authentication evidence associated with the message.
CompositeAuthenticationMicrosoft’s overall authentication verdict for the email message.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review SenderFromDomain activity

Start by reviewing recent messages where Defender recorded a visible sender domain.
review-senderfromdomain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| project Timestamp,
          SenderFromDomain,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Count messages by visible sender domain

Summarising by SenderFromDomain helps identify the domains most often appearing in user-visible sender addresses.
senderfromdomain-message-counts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| summarize MessageCount = count() by SenderFromDomain
| order by MessageCount desc

Step 3 — Compare visible and SMTP sender domains

Compare SenderFromDomain with SenderMailFromDomain to identify domain mismatches, forwarding behaviour and suspicious sender identity patterns.
senderfromdomain-mailfrom-comparison.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          SenderFromAddress,
          AuthenticationDetails,
          Subject
| order by Timestamp desc

Step 4 — Investigate a suspicious visible domain

When a suspicious domain appears in the From address, review all related messages and recipients.
investigate-visible-domain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain contains "microsoft"
| project Timestamp,
          SenderFromDomain,
          SenderMailFromDomain,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes
| order by Timestamp desc

Step 5 — Review threats by SenderFromDomain

Group threat classifications by visible sender domain to identify domains associated with phishing, spoofing, malware or spam activity.
senderfromdomain-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| summarize MessageCount = count()
          by SenderFromDomain,
             ThreatTypes
| order by MessageCount desc

Step 6 — Compare SenderFromDomain with authentication and delivery outcomes

This helps explain whether visible sender domains were trusted, blocked, quarantined, delivered or associated with authentication failures.
senderfromdomain-auth-delivery.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| summarize MessageCount = count()
          by SenderFromDomain,
             CompositeAuthentication,
             DeliveryAction,
             DeliveryLocation
| order by MessageCount desc

How to read the results

SenderFromDomain is visible sender evidence. It should be interpreted with SMTP sender data, authentication results and delivery context.
Visible does not mean verifiedThe domain users see in the From address still needs to be checked against authentication and sender infrastructure evidence.
Domain mismatch needs contextMismatch between SenderFromDomain and SenderMailFromDomain can be legitimate, but it can also explain spoofing, forwarding or phishing behaviour.
Threat and delivery evidence mattersAlways compare SenderFromDomain with ThreatTypes, DeliveryAction, AuthenticationDetails and CompositeAuthentication.

Common investigation uses

Brand impersonationReview whether attackers are using trusted or lookalike domains to impersonate known organisations.
Business email compromiseDetermine whether a message appeared to come from a trusted business partner, finance contact or executive domain.
DMARC and alignment reviewCompare the visible From domain against Mail From and authentication details to understand trust decisions.
Phishing campaign analysisGroup suspicious messages by visible domain to identify repeated impersonation patterns.

Common mistakes

Assuming the From domain is trustedA familiar SenderFromDomain still needs to be validated with authentication and delivery evidence.
Ignoring Mail From evidenceSenderFromDomain shows what users saw. SenderMailFromDomain helps explain what SMTP delivery used.
Forgetting user perceptionUsers make trust decisions based on visible sender details, so SenderFromDomain is important even when transport evidence differs.

What you learned

SenderFromDomain shows the visible domainIt identifies the sender domain shown to the recipient in the From address.
Visible domains need contextCompare SenderFromDomain with SenderMailFromDomain, AuthenticationDetails and CompositeAuthentication.
SenderFromDomain supports phishing analysisIt helps identify brand impersonation, spoofing patterns and suspicious sender behaviour.

Related Agent Foskett Academy lessons

Investigating SenderMailFromDomainUnderstand the SMTP domain used during message delivery.
Investigating SenderMailFromAddressReview the SMTP Mail From address behind the email.
Investigating RecipientEmailAddressIdentify affected mailboxes and campaign reach.
Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and authentication detail evidence.
Investigating CompositeAuthenticationUnderstand Microsoft’s overall authentication verdict.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.

Coming next

Lesson 69 — Investigating SenderDisplayName in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use SenderDisplayName to investigate display-name impersonation, executive spoofing and suspicious sender presentation.
Why this mattersSenderFromDomain shows the visible domain. SenderDisplayName helps explain the human-friendly name users saw before deciding whether to trust the message.

Final thought

The domain users see is part of the investigation. SenderFromDomain helps defenders test whether that visible identity deserves trust.
Agent Foskett mindsetDo not trust the domain just because users recognise it. Compare what was displayed with what the logs actually prove.
Check the visible identitySenderFromDomain helps reveal what the sender wanted users to believe.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderFromDomain in Microsoft Defender XDR

Agent Foskett Academy Lesson 68 teaches defenders how to investigate SenderFromDomain during Microsoft Defender XDR email investigations.

Learn SenderFromDomain investigation in Defender XDR

This lesson explains how SenderFromDomain, SenderFromAddress, SenderMailFromDomain, AuthenticationDetails, CompositeAuthentication, DeliveryAction and ThreatTypes help defenders identify visible sender domains, impersonation attempts, spoofing patterns and suspicious email activity.