Agent Foskett Academy • Lesson 61 • Email Investigation

Investigating SenderIPv4 in Microsoft Defender XDR.

The email passed inspection.

SPF looked legitimate.

DKIM validated correctly.

Yet Agent Foskett still wanted to know one thing.

Where did the message actually originate?

Every email begins its journey somewhere.

In Microsoft Defender XDR, SenderIPv4 helps defenders identify the originating IPv4 address behind a message and investigate phishing campaigns, suspicious infrastructure, spoofing attempts and malicious email activity.

Agent Foskett Academy lesson explaining SenderIPv4 in Microsoft Defender XDR
Lesson overview

Learn how to investigate originating IPv4 addresses in EmailEvents and connect sending infrastructure to domains, threats and delivery outcomes.

Identify sender infrastructure
Investigate phishing campaigns
Compare domains and IP addresses
Correlate IP evidence with threat classifications

Why SenderIPv4 matters

Authentication tells you whether an email passed checks. SenderIPv4 helps you understand the infrastructure behind the message.
It identifies sending infrastructureSenderIPv4 reveals the originating IPv4 address associated with an email message and helps defenders understand where the message came from.
It supports phishing investigationsMalicious campaigns often reuse sender infrastructure, allowing defenders to connect messages that appear unrelated at first glance.
It strengthens threat huntingSenderIPv4 can be grouped, filtered and correlated with domains, threat classifications, delivery actions and reputation evidence.

The fields used in this lesson

These fields help defenders connect sender IP evidence to message identity, classification and delivery outcomes.
SenderIPv4The originating IPv4 address associated with the email message.
SenderFromAddressThe visible sender address shown in the message.
SenderFromDomainThe visible sender domain presented to the recipient.
AuthenticationDetailsSPF, DKIM, DMARC and composite authentication details used to assess sender legitimacy.
ThreatTypesMicrosoft's threat classification, such as phishing, malware, spam or spoofing.
DeliveryActionThe action Microsoft 365 applied to the email during delivery and filtering.

Step 1 — Review SenderIPv4 activity

Start by reviewing recent messages where Defender recorded an originating IPv4 address.
review-senderipv4.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv4)
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          SenderIPv4,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Find top sending IP addresses

Summarising SenderIPv4 helps defenders identify high-volume senders and unusual infrastructure.
top-senderipv4-addresses.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv4)
| summarize MessageCount = count() by SenderIPv4
| order by MessageCount desc

Step 3 — Review threats by IP address

Compare sender IP addresses with Microsoft threat classifications to identify infrastructure associated with suspicious activity.
senderipv4-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv4)
| summarize MessageCount = count()
          by SenderIPv4,
             ThreatTypes
| order by MessageCount desc

Step 4 — Investigate a specific sender IP

When an IP address appears suspicious, focus on messages associated with that address and review recipients, domains and subjects.
investigate-specific-senderipv4.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where SenderIPv4 == "192.0.2.10"
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

Step 5 — Review suspicious messages with sender IP evidence

SenderIPv4 is especially useful when reviewed alongside ThreatTypes, DeliveryAction and AuthenticationDetails.
suspicious-messages-senderipv4.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv4)
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderIPv4,
          SenderFromAddress,
          SenderFromDomain,
          Subject,
          ThreatTypes,
          AuthenticationDetails,
          DeliveryAction
| order by Timestamp desc

Step 6 — Compare sender domains and IP addresses

This helps identify domains using unexpected IP addresses, high-volume infrastructure or unusual sending patterns.
senderdomain-senderipv4-comparison.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv4)
| summarize MessageCount = count()
          by SenderFromDomain,
             SenderIPv4
| order by MessageCount desc

How to read the results

SenderIPv4 is infrastructure evidence. It should be interpreted with sender identity, authentication and delivery context.
One IP can send many campaignsA single sender IP may appear across multiple messages, domains, recipients and subjects during a campaign.
Legitimate domains still need validationA familiar sender domain should still be checked against expected infrastructure and authentication results.
Delivery context changes the riskA suspicious sender IP matters more when messages were delivered, clicked or associated with phishing classifications.

Common investigation uses

SenderIPv4 helps defenders move from message-level evidence to infrastructure-level investigation.
Phishing campaign analysisIdentify whether multiple phishing messages share the same sender infrastructure.
Spoofing investigationsCompare visible sender domains with the IP addresses that actually sent the messages.
Threat intelligence enrichmentUse suspicious sender IPs for reputation checks, blocking decisions and wider campaign correlation.

Common mistakes

SenderIPv4 is useful, but it does not tell the full story by itself.
Assuming the visible sender is enoughThe From address may look trusted while the sender infrastructure tells a different story.
Ignoring authentication contextAlways compare SenderIPv4 with AuthenticationDetails, SPF, DKIM, DMARC and composite authentication results.
Treating one IP as automatic proofSender IP evidence should be correlated with volume, reputation, threat classification and delivery outcomes before drawing conclusions.
The domain was only part of the story.
Use SenderIPv4 to investigate the infrastructure behind the message and determine whether the sending path matches the claimed sender.
Back to Academy →

What you learned

SenderIPv4 identifies infrastructureIt helps defenders see the originating IPv4 address associated with email messages.
IP evidence supports campaign analysisGrouping by SenderIPv4 can reveal repeated sender infrastructure across phishing and spoofing activity.
Context is essentialSenderIPv4 should be reviewed with AuthenticationDetails, ThreatTypes, DeliveryAction and sender domain evidence.

Related Agent Foskett Academy lessons

Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating EmailAuthenticationResultsUnderstand email authentication evidence in Defender XDR.
Investigating SenderFromAddress vs SenderMailFromAddressCompare visible sender and envelope sender evidence.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DetectionMethodsUnderstand how Microsoft identified and classified the message.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating OrgLevelActionReview organisational policy actions applied to suspicious messages.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.

Coming next

Lesson 62 — Investigating SenderIPv6 in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use SenderIPv6 to investigate IPv6 sender infrastructure behind suspicious email activity.
Why this mattersSenderIPv4 shows IPv4 infrastructure. SenderIPv6 completes the sender infrastructure picture for environments and providers using IPv6.
What you will learn nextLearn how IPv6 sender evidence supports phishing, spoofing, infrastructure and email authentication investigations.

Final thought

The sender name is what the user sees. The sender IP is part of what the investigation sees.
Agent Foskett mindsetDo not stop at the visible sender. Follow the infrastructure behind the message.
Read the originSenderIPv4 turns an email investigation into an infrastructure investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderIPv4 in Microsoft Defender XDR

Agent Foskett Academy Lesson 61 teaches defenders how to investigate SenderIPv4 during Microsoft Defender XDR email investigations.

Learn sender IP investigation in Defender XDR

This lesson explains how SenderIPv4, SenderFromDomain, AuthenticationDetails, ThreatTypes and DeliveryAction help defenders investigate suspicious email infrastructure, phishing campaigns, spoofing attempts and sender reputation.