ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Microsoft Defender • EmailEvents • AuthenticationDetails • Spoofing

Detect Email Spoofing in Microsoft Defender with KQL

When an email looks like it came from someone trusted, the logs can tell a different story.

This page gives practical, copy-paste KQL queries for Microsoft Defender XDR to investigate spoofed domains, sender alignment, DMARC failures, suspicious delivery and URL click activity.

It is designed for analysts, admins and business owners who want real investigation paths, not marketing fluff.

Discuss your environment Back to briefings
Detect Email Spoofing in Microsoft Defender with KQL by GEMXIT
KQL page summary

A focused Microsoft Defender KQL page built around the exact search signals Google is already showing: spoofeddomain, EmailEvents, AuthenticationDetails and KQL.

EmailEvents spoofing checks
SenderFromDomain vs SenderMailFromDomain
DMARC failure and URL click pivots

Copy-paste KQL for email spoofing checks

Start here when an email looks trusted but the authentication story does not line up. This query surfaces SPF, DKIM, DMARC and spoofing signals from Microsoft Defender XDR EmailEvents.
email-spoofing-authentication.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
EmailEvents
| where Timestamp > ago(30d)
| where AuthenticationDetails has_any ("spf=fail", "dkim=fail", "dmarc=fail", "spoof")
| project
    Timestamp,
    SenderFromAddress,
    SenderFromDomain,
    SenderMailFromAddress,
    SenderMailFromDomain,
    RecipientEmailAddress,
    Subject,
    AuthenticationDetails,
    ThreatTypes,
    DeliveryAction,
    NetworkMessageId
| order by Timestamp desc
What this finds Messages where sender trust, authentication or spoofing indicators deserve closer review.
Why it matters Spoofing often works because the user trusts the visible sender before seeing the technical evidence.
Best pivot Use NetworkMessageId to pivot into URL clicks and user activity.

Compare visible sender and envelope sender

The visible From address is what the user sees. The Mail From sender is part of the delivery path. Mismatches are not always malicious, but they are worth checking.
sender-domain-alignment.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain != SenderMailFromDomain
| project
    Timestamp,
    SenderFromAddress,
    SenderFromDomain,
    SenderMailFromAddress,
    SenderMailFromDomain,
    RecipientEmailAddress,
    Subject,
    AuthenticationDetails,
    DeliveryAction
| order by Timestamp desc
Used for Identifying sender alignment mismatches that may indicate forwarding, third-party sending or impersonation.
Check context Compare subject, recipient, delivery action and authentication details before deciding severity.
Agent Foskett tip Do not chase one field in isolation. Let the evidence tell the story.

Find repeated spoofing campaigns

One strange message is interesting. Repeated sender, subject or authentication patterns across recipients may indicate a campaign.
spoofing-campaign-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where AuthenticationDetails has_any ("spf=fail", "dkim=fail", "dmarc=fail", "spoof")
| summarize
    MessageCount = count(),
    RecipientCount = dcount(RecipientEmailAddress)
    by SenderFromAddress, SenderFromDomain, Subject, DeliveryAction
| where MessageCount >= 3
| order by MessageCount desc
Used for Turning individual messages into patterns across users and mailboxes.
Why it matters Campaign patterns help separate noise from active targeting.
Next step Block, purge, notify users or escalate depending on delivery and click activity.

Pivot from suspicious email to URL clicks

A suspicious email becomes more serious when a user clicked. This query joins suspicious messages to UrlClickEvents using NetworkMessageId.
spoofed-email-to-clicks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
let SuspiciousMessages =
EmailEvents
| where Timestamp > ago(30d)
| where AuthenticationDetails has_any ("spf=fail", "dkim=fail", "dmarc=fail", "spoof")
| project NetworkMessageId, EmailTime = Timestamp, SenderFromAddress, RecipientEmailAddress, Subject;
SuspiciousMessages
| join kind=inner (
    UrlClickEvents
    | where Timestamp > ago(30d)
    | project NetworkMessageId, ClickTime = Timestamp, AccountUpn, Url, ActionType
) on NetworkMessageId
| order by ClickTime desc
Used for Confirming whether suspicious delivery turned into user interaction.
What to review Allowed clicks, repeated clicks, unfamiliar URLs and timing around delivery.
Best pivot Move from the user and timestamp into sign-ins, device activity and mailbox actions.
Develop IT. Protect IT.
GEMXIT PTY LTD | GEMXIT UK LTD
Talk to GEMXIT
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Microsoft Defender Email Spoofing KQL

Copy-paste KQL queries for Microsoft Defender XDR EmailEvents, AuthenticationDetails, spoofed domain analysis and DMARC failure investigation.

SpoofedDomain EmailEvents AuthenticationDetails

This page targets technical searches around spoofeddomain, EmailEvents, AuthenticationDetails, sender alignment and URL click investigation.

GEMXIT Microsoft Security

GEMXIT uses Microsoft Defender, Sentinel and Entra ID to support practical security operations, threat hunting and response planning.