Investigating SenderFromDomain in Microsoft Defender XDR.
The email looked legitimate.
The sender appeared to be from a trusted company.
Yet something about the domain did not feel right.
Agent Foskett needed to determine what domain recipients were actually shown.
The answer was hidden inside SenderFromDomain.
In Microsoft Defender XDR, SenderFromDomain helps defenders investigate the visible sender domain presented to recipients, making it easier to identify impersonation, spoofing and suspicious email activity.
Lesson overview
Learn how to investigate SenderFromDomain in EmailEvents and compare visible sender domains with SMTP sender evidence, authentication outcomes and threat classifications.
Why SenderFromDomain matters
The fields used in this lesson
Step 1 — Review SenderFromDomain activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| project Timestamp,
SenderFromDomain,
SenderFromAddress,
RecipientEmailAddress,
Subject
| order by Timestamp desc
Step 2 — Count messages by visible sender domain
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(30d) | where isnotempty(SenderFromDomain) | summarize MessageCount = count() by SenderFromDomain | order by MessageCount desc
Step 3 — Compare visible and SMTP sender domains
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| project Timestamp,
SenderFromDomain,
SenderMailFromDomain,
SenderFromAddress,
AuthenticationDetails,
Subject
| order by Timestamp desc
Step 4 — Investigate a suspicious visible domain
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain contains "microsoft"
| project Timestamp,
SenderFromDomain,
SenderMailFromDomain,
SenderFromAddress,
RecipientEmailAddress,
Subject,
ThreatTypes
| order by Timestamp desc
Step 5 — Review threats by SenderFromDomain
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| summarize MessageCount = count()
by SenderFromDomain,
ThreatTypes
| order by MessageCount desc
Step 6 — Compare SenderFromDomain with authentication and delivery outcomes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderFromDomain)
| summarize MessageCount = count()
by SenderFromDomain,
CompositeAuthentication,
DeliveryAction,
DeliveryLocation
| order by MessageCount desc
How to read the results
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating SenderFromDomain in Microsoft Defender XDR
Agent Foskett Academy Lesson 68 teaches defenders how to investigate SenderFromDomain during Microsoft Defender XDR email investigations.
Learn SenderFromDomain investigation in Defender XDR
This lesson explains how SenderFromDomain, SenderFromAddress, SenderMailFromDomain, AuthenticationDetails, CompositeAuthentication, DeliveryAction and ThreatTypes help defenders identify visible sender domains, impersonation attempts, spoofing patterns and suspicious email activity.
