Agent Foskett Academy • Lesson 63 • Email Investigation

Investigating SenderMailFromAddress in Microsoft Defender XDR.

The email appeared to come from a trusted sender.

The display address looked legitimate.

The domain matched the organisation.

Yet Agent Foskett noticed something unusual.

The address visible to the user was not the same address used during mail delivery.

Behind every email is another sender identity that many defenders overlook.

In Microsoft Defender XDR, SenderMailFromAddress helps investigators identify the SMTP envelope sender used during message delivery, making it valuable for spoofing, phishing and email authentication investigations.

Agent Foskett Academy lesson explaining SenderMailFromAddress in Microsoft Defender XDR
Lesson overview

Learn how to investigate the SMTP envelope sender in EmailEvents and compare it with the sender address shown to users.

Review SenderMailFromAddress evidence
Compare visible and SMTP senders
Investigate spoofing and phishing attempts
Support SPF and DMARC investigations

Why SenderMailFromAddress matters

SenderFromAddress shows what the recipient sees. SenderMailFromAddress helps reveal the SMTP sender identity used behind the scenes.
It identifies the SMTP senderSenderMailFromAddress records the envelope sender address used during message transport.
It exposes sender mismatchComparing SenderFromAddress and SenderMailFromAddress can reveal spoofing, impersonation and mail flow anomalies.
It supports authentication analysisSPF and DMARC investigations often depend on understanding the technical sender identity behind the visible From address.

The fields used in this lesson

These fields help defenders compare what the user saw with what the mail system actually processed.
SenderMailFromAddressThe SMTP envelope sender address used during mail delivery.
SenderFromAddressThe visible sender address displayed to the recipient.
SenderFromDomainThe visible sender domain shown in the From address.
SenderMailFromDomainThe SMTP envelope sender domain used during message transport.
AuthenticationDetailsSPF, DKIM, DMARC and composite authentication evidence associated with the message.
DeliveryActionThe action Microsoft 365 applied to the email during delivery and filtering.

Step 1 — Review SenderMailFromAddress activity

Start by reviewing recent messages where Defender recorded an SMTP envelope sender address.
review-sendermailfromaddress.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromAddress)
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Compare visible and SMTP senders

This query highlights messages where the sender shown to the recipient differs from the SMTP envelope sender.
senderfrom-vs-sendermailfrom.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromAddress)
| where SenderFromAddress != SenderMailFromAddress
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          Subject
| order by Timestamp desc

Step 3 — Review top SMTP senders

Summarising SenderMailFromAddress helps identify high-volume envelope senders and unusual sending behaviour.
top-sendermailfromaddress.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(SenderMailFromAddress)
| summarize MessageCount = count() by SenderMailFromAddress
| order by MessageCount desc

Step 4 — Investigate threats by SMTP sender

Threat classifications become more useful when compared with the visible sender and the envelope sender.
sendermailfromaddress-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          ThreatTypes,
          DeliveryAction,
          Subject
| order by Timestamp desc

Step 5 — Investigate authentication issues

Authentication failures should be reviewed with both visible and SMTP sender evidence.
sendermailfromaddress-authentication-failures.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where AuthenticationDetails contains "fail"
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          AuthenticationDetails,
          Subject
| order by Timestamp desc

Step 6 — Compare sender identity pairs

This helps defenders find repeated mismatches between the visible sender and the SMTP envelope sender.
sender-identity-pairs.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
          by SenderFromAddress,
             SenderMailFromAddress
| order by MessageCount desc

How to read the results

SenderMailFromAddress is mail transport evidence. It should be interpreted with the visible sender, authentication results and delivery outcome.
The user sees SenderFromAddressThe visible sender may look familiar, trusted or internal even when the envelope sender tells a different story.
The mail system sees SenderMailFromAddressThe SMTP envelope sender is important for mail delivery and many authentication investigations.
Mismatch is investigation contextA mismatch does not automatically mean malicious activity, but it should be explained before closing the case.

Common investigation uses

SenderMailFromAddress helps defenders understand whether the visible sender and the SMTP sender align.
Email spoofingCompare visible sender identities against the SMTP envelope sender used during delivery.
SPF troubleshootingUnderstand which sender identity may have been evaluated during SPF checks.
DMARC analysisReview sender alignment between visible From domains, Mail From domains and authentication results.

Common mistakes

SenderMailFromAddress is often missed because defenders focus only on what the user saw.
Assuming visible means realThe address shown to users may not be the same address used during SMTP delivery.
Ignoring mail flow identitiesAuthentication and delivery behaviour often depend on technical sender identities that are not obvious to users.
Skipping authentication contextAlways compare SenderMailFromAddress with AuthenticationDetails, SenderFromDomain, SenderMailFromDomain and DeliveryAction.
The visible sender was only part of the message.
Use SenderMailFromAddress to investigate the SMTP sender behind the email and determine whether the sender identity makes sense.
Back to Academy →

What you learned

SenderMailFromAddress identifies the SMTP senderIt helps defenders review the envelope sender used during message transport.
Sender identity mismatch mattersComparing SenderFromAddress and SenderMailFromAddress can expose spoofing, phishing and authentication issues.
Authentication needs sender contextSPF, DKIM, DMARC and composite authentication make more sense when the sender identities are understood.

Related Agent Foskett Academy lessons

Investigating SenderIPv4Review IPv4 sender infrastructure behind suspicious email messages.
Investigating SenderIPv6Review IPv6 sender infrastructure behind suspicious email messages.
Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating EmailAuthenticationResultsUnderstand email authentication evidence in Defender XDR.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating OrgLevelActionReview organisational policy actions applied to suspicious messages.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.

Coming next

Lesson 64 — Investigating SenderMailFromDomain in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use SenderMailFromDomain to investigate the SMTP envelope sender domain behind email messages.
Why this mattersSenderMailFromAddress reveals the SMTP sender address. SenderMailFromDomain helps explain the technical sender domain used during mail transport.
What you will learn nextLearn how SMTP sender domain evidence supports SPF, DMARC, spoofing and sender alignment investigations.

Final thought

The sender address at the top of the email is not always the full sender story.
Agent Foskett mindsetDo not stop at the sender the user saw. Follow the SMTP sender behind the message.
Read the envelopeSenderMailFromAddress turns a visible sender investigation into a mail transport investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating SenderMailFromAddress in Microsoft Defender XDR

Agent Foskett Academy Lesson 63 teaches defenders how to investigate SenderMailFromAddress during Microsoft Defender XDR email investigations.

Learn SMTP sender address investigation in Defender XDR

This lesson explains how SenderMailFromAddress, SenderFromAddress, SenderMailFromDomain, AuthenticationDetails, ThreatTypes and DeliveryAction help defenders investigate spoofing, phishing and email authentication issues.