Agent Foskett Academy • Lesson 62 • Email Investigation

Investigating SenderIPv6 in Microsoft Defender XDR.

The email passed inspection.

SPF looked legitimate.

DKIM validated correctly.

Yet Agent Foskett still wanted to know one thing.

Where did the message actually originate?

Every email begins its journey somewhere.

In Microsoft Defender XDR, SenderIPv6 helps defenders identify the originating IPv6 address behind a message and investigate phishing campaigns, suspicious infrastructure, spoofing attempts and malicious email activity.

Agent Foskett Academy lesson explaining SenderIPv6 in Microsoft Defender XDR
Lesson overview

Learn how to investigate originating IPv6 addresses in EmailEvents and connect sending infrastructure to domains, threats and delivery outcomes.

Identify sender infrastructure
Investigate phishing campaigns
Compare domains and IPv6 addresses
Correlate IP evidence with threat classifications

Why SenderIPv6 matters

Authentication tells you whether an email passed checks. SenderIPv6 helps you understand the infrastructure behind the message.
It identifies sending infrastructureSenderIPv6 reveals the originating IPv6 address associated with an email message and helps defenders understand where the message came from.
It supports phishing investigationsMalicious campaigns often reuse sender infrastructure, allowing defenders to connect messages that appear unrelated at first glance.
It strengthens threat huntingSenderIPv6 can be grouped, filtered and correlated with domains, threat classifications, delivery actions and reputation evidence.

The fields used in this lesson

These fields help defenders connect sender IP evidence to message identity, classification and delivery outcomes.
SenderIPv6The originating IPv6 address associated with the email message.
SenderFromAddressThe visible sender address shown in the message.
SenderFromDomainThe visible sender domain presented to the recipient.
AuthenticationDetailsSPF, DKIM, DMARC and composite authentication details used to assess sender legitimacy.
ThreatTypesMicrosoft's threat classification, such as phishing, malware, spam or spoofing.
DeliveryActionThe action Microsoft 365 applied to the email during delivery and filtering.

Step 1 — Review SenderIPv6 activity

Start by reviewing recent messages where Defender recorded an originating IPv6 address.
review-senderipv6.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv6)
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          SenderIPv6,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Find top sender IPv6 addresses

Summarising SenderIPv6 helps defenders identify high-volume senders and unusual infrastructure.
top-senderipv6-addresses.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv6)
| summarize MessageCount = count() by SenderIPv6
| order by MessageCount desc

Step 3 — Review threats by IPv6 address

Compare sender IPv6 infrastructure with Microsoft threat classifications to identify infrastructure associated with suspicious activity.
senderipv6-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv6)
| summarize MessageCount = count()
          by SenderIPv6,
             ThreatTypes
| order by MessageCount desc

Step 4 — Investigate a specific sender IP

When an IPv6 address appears suspicious, focus on messages associated with that address and review recipients, domains and subjects.
investigate-specific-senderipv6.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where SenderIPv6 == "2001:db8::1"
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

Step 5 — Review suspicious messages with sender IP evidence

SenderIPv6 is especially useful when reviewed alongside ThreatTypes, DeliveryAction and AuthenticationDetails.
suspicious-messages-senderipv6.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv6)
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderIPv6,
          SenderFromAddress,
          SenderFromDomain,
          Subject,
          ThreatTypes,
          AuthenticationDetails,
          DeliveryAction
| order by Timestamp desc

Step 6 — Compare sender domains and IPv6 addresses

This helps identify domains using unexpected IPv6 addresses, high-volume infrastructure or unusual sending patterns.
senderdomain-senderipv6-comparison.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderIPv6)
| summarize MessageCount = count()
          by SenderFromDomain,
             SenderIPv6
| order by MessageCount desc

How to read the results

SenderIPv6 is infrastructure evidence. It should be interpreted with sender identity, authentication and delivery context.
One IP can send many campaignsA single sender IP may appear across multiple messages, domains, recipients and subjects during a campaign.
Legitimate domains still need validationA familiar sender domain should still be checked against expected infrastructure and authentication results.
Delivery context changes the riskA suspicious sender IP matters more when messages were delivered, clicked or associated with phishing classifications.

Common investigation uses

SenderIPv6 helps defenders move from message-level evidence to infrastructure-level investigation.
Phishing campaign analysisIdentify whether multiple phishing messages share the same sender infrastructure.
Spoofing investigationsCompare visible sender domains with the IPv6 addresses that actually sent the messages.
Threat intelligence enrichmentUse suspicious sender IPs for reputation checks, blocking decisions and wider campaign correlation.

Common mistakes

SenderIPv6 is useful, but it does not tell the full story by itself.
Assuming the visible sender is enoughThe From address may look trusted while the sender infrastructure tells a different story.
Ignoring authentication contextAlways compare SenderIPv6 with AuthenticationDetails, SPF, DKIM, DMARC and composite authentication results.
Treating one IP as automatic proofSender IP evidence should be correlated with volume, reputation, threat classification and delivery outcomes before drawing conclusions.
The domain was only part of the story.
Use SenderIPv6 to investigate the infrastructure behind the message and determine whether the sending path matches the claimed sender.
Back to Academy →

What you learned

SenderIPv6 identifies infrastructureIt helps defenders see the originating IPv6 address associated with email messages.
IP evidence supports campaign analysisGrouping by SenderIPv6 can reveal repeated sender infrastructure across phishing and spoofing activity.
Context is essentialSenderIPv6 should be reviewed with AuthenticationDetails, ThreatTypes, DeliveryAction and sender domain evidence.

Related Agent Foskett Academy lessons

Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating EmailAuthenticationResultsUnderstand email authentication evidence in Defender XDR.
Investigating SenderFromAddress vs SenderMailFromAddressCompare visible sender and envelope sender evidence.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DetectionMethodsUnderstand how Microsoft identified and classified the message.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating OrgLevelActionReview organisational policy actions applied to suspicious messages.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.

Coming next

Lesson 63 — Investigating SenderMailFromAddress in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use SenderMailFromAddress to investigate the envelope sender behind email messages.
Why this mattersSenderIPv6 shows IPv6 infrastructure. SenderMailFromAddress helps explain which envelope sender was used during mail transport.
What you will learn nextLearn how SenderMailFromAddress supports SPF alignment, spoofing investigations, sender mismatch analysis and mail flow investigations.

Final thought

The sender name is what the user sees. The sender IP is part of what the investigation sees.
Agent Foskett mindsetDo not stop at the visible sender. Follow the infrastructure behind the message.
Read the originSenderIPv6 turns an email investigation into an infrastructure investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderIPv6 in Microsoft Defender XDR

Agent Foskett Academy Lesson 62 teaches defenders how to investigate SenderIPv6 during Microsoft Defender XDR email investigations.

Learn sender IP investigation in Defender XDR

This lesson explains how SenderIPv6, SenderFromDomain, AuthenticationDetails, ThreatTypes and DeliveryAction help defenders investigate suspicious email infrastructure, phishing campaigns, spoofing attempts and sender reputation.