ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • EmailEvents • SpoofedDomain Investigation

SpoofedDomain in EmailEvents: What It Means and How to Investigate It

One of the most misunderstood fields inside Microsoft Defender XDR EmailEvents telemetry is SpoofedDomain.

Defenders often discover it during phishing investigations, DMARC failures or suspicious email analysis without fully understanding what triggered it.

The sender address may look legitimate.

The display name may appear familiar.

The email may even pass through normal business workflows.

But the telemetry tells a different story.

The SpoofedDomain field can reveal when Microsoft identified suspicious domain impersonation behaviour inside email traffic, helping investigators identify spoofing attempts, phishing campaigns and authentication anomalies.

This Agent Foskett investigation explains what SpoofedDomain means, how it relates to AuthenticationDetails and EmailAuthenticationResults, and how defenders can investigate suspicious email activity using KQL inside Microsoft Defender XDR.

The inbox looked normal.

The logs already knew.

Discuss email spoofing investigations Back to Investigation Hub
Agent Foskett investigates SpoofedDomain in EmailEvents using Microsoft Defender XDR
Briefing summary

SpoofedDomain can help defenders identify domain impersonation, sender mismatch, DMARC failures and suspicious email behaviour inside Microsoft Defender XDR EmailEvents telemetry.

Review SpoofedDomain values
Correlate AuthenticationDetails
Hunt DMARC and sender alignment issues
🚨 The sender looked trusted. The telemetry disagreed.
SpoofedDomain gives defenders another clue when the visible sender identity and the underlying authentication story do not line up.
Book a security review →

What is SpoofedDomain?

SpoofedDomain is a field defenders may encounter inside Microsoft Defender XDR EmailEvents when Microsoft identifies suspicious domain impersonation or spoofing behaviour. It can help investigators understand which domain was treated as the spoofing target during email analysis.
The sender looked trustedThe visible sender may appear to use a familiar brand, business partner or internal-looking domain.
The domain was suspiciousSpoofedDomain helps highlight the domain Microsoft associated with possible spoofing or impersonation behaviour.
The investigation needs contextSpoofedDomain is a signal, not the full story. Defenders should review authentication results, delivery action, sender fields and user activity.

Why defenders miss it

Spoofed email is often missed because users judge what they can see: display name, logo, subject line and familiar wording. Microsoft Defender telemetry gives defenders a deeper view into what the system processed behind the scenes.
The display name matchedA familiar display name can make a message feel trusted even when the sender infrastructure does not align.
The sender looked familiarAttackers often use similar-looking sender identities, compromised third parties or weakly aligned mail systems.
The alert may be quietSome suspicious emails do not create high-severity incidents. The best clues may sit quietly inside EmailEvents and AuthenticationDetails.

First hunt: find emails with SpoofedDomain values

Start by reviewing EmailEvents where SpoofedDomain has a value. This gives defenders a focused list of emails where Microsoft identified possible domain spoofing or impersonation behaviour.
spoofeddomain-emailevents-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(7d)
| where SpoofedDomain != ""
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          SpoofedDomain,
          AuthenticationDetails,
          EmailDirection,
          ThreatTypes
| order by Timestamp desc
What to reviewLook at sender, recipient, subject, SpoofedDomain, authentication details, delivery outcome and threat classifications.
Why it mattersThis field can highlight domain impersonation that may not be obvious from the inbox view alone.
Best next pivotPivot into AuthenticationDetails, UrlClickEvents, EmailUrlInfo, delivery action and user click behaviour.

How SpoofedDomain relates to AuthenticationDetails

SpoofedDomain is most useful when defenders compare it against authentication signals. AuthenticationDetails may include SPF, DKIM, DMARC or composite authentication results that explain why the message did not fully align.
SPF alignmentSPF can pass for the sending infrastructure while still not proving the visible sender identity is trustworthy.
DKIM and DMARCDKIM and DMARC can reveal whether the sender domain aligned with the message identity users saw.
CompAuth contextComposite authentication can help explain whether Microsoft treated the email as authenticated, suspicious, spoofed or misaligned.

Second hunt: DMARC failures with SpoofedDomain context

DMARC failures are a strong investigation pivot. Not every DMARC failure is malicious, but a DMARC failure alongside a SpoofedDomain value deserves careful review.
dmarc-fail-spoofeddomain-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(7d)
| where AuthenticationDetails has "dmarc=fail"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          AuthenticationDetails,
          SpoofedDomain
| order by Timestamp desc

Third hunt: follow user clicks after suspicious email delivery

A spoofed or impersonated email becomes more serious when the recipient interacts with it. After reviewing EmailEvents, pivot into UrlClickEvents to identify whether users clicked links after suspicious delivery.
url-clicks-after-spoofed-email.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          ThreatTypes,
          NetworkMessageId
| order by Timestamp desc

What SpoofedDomain does not automatically mean

SpoofedDomain is an investigation signal. It does not automatically prove that every message is malicious. Good defenders validate the surrounding evidence before deciding on impact.
Third-party sendersMarketing systems, ticketing platforms and SaaS tools may send mail on behalf of a domain with imperfect alignment.
Forwarding and relaysMail forwarding, hybrid mail flow and security gateways can alter authentication results and require careful interpretation.
Misconfiguration is possibleSPF, DKIM or DMARC problems may reflect configuration drift rather than a confirmed attack, but they still deserve investigation.

Where defenders get caught

Email spoofing investigations fail when teams only trust the visual inbox experience or only look at one authentication result. The strongest investigations compare sender identity, authentication details, delivery action and user behaviour.
They trust the visible senderWhat the user sees is not always what the system authenticated.
They stop at one fieldSpoofedDomain is useful, but it must be interpreted with AuthenticationDetails, delivery action and threat classification.
They miss user activityIf the email was delivered and clicked, the investigation must continue into URL clicks, sign-ins and mailbox behaviour.

How GEMXIT approaches this type of investigation

At GEMXIT, we treat SpoofedDomain as one part of the wider email investigation story. We review the message, sender alignment, authentication details, delivery outcome and what the recipient did next.
We compare sender fieldsSenderFromAddress, SenderMailFromAddress, domains, display names and authentication results all help explain the real sender story.
We correlate user behaviourDelivery alone is not the full incident. URL clicks, mailbox access and sign-in activity help reveal whether the user interacted with the threat.
We improve email trust controlsResponse may include DMARC enforcement, SPF and DKIM cleanup, sender alignment review, Defender tuning and user education.
The sender address may look trusted. The telemetry still needs to prove it.
GEMXIT helps organisations investigate SpoofedDomain, EmailEvents, AuthenticationDetails, DMARC failures, Defender XDR telemetry and practical KQL hunting workflows.
Contact GEMXIT

Final thought

The inbox looked normal.

The sender looked familiar.

The email passed through the environment quietly.

But the telemetry already knew something was wrong.

The real investigation started with one field:

SpoofedDomain.
At GEMXITWe help organisations investigate Microsoft Defender XDR, spoofed email, DMARC failures, suspicious delivery, URL clicks and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Who did the email appear to come from?”

It is: “What did the telemetry prove?”

Continue the investigation with KQL Email Spoofing, Detect DMARC Fail Emails in Microsoft Defender, EmailEvents KQL Guide, The Email Came From Me, The Email Passed SPF But Was Still Malicious, SpoofedDomain and EmailEvents in Microsoft Defender, Microsoft Defender KQL Threat Hunting Guide, Microsoft Security and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

SpoofedDomain in EmailEvents

This Agent Foskett briefing explains what the SpoofedDomain field means inside Microsoft Defender XDR EmailEvents and how defenders can use it during spoofed email and phishing investigations.

Microsoft Defender XDR EmailEvents SpoofedDomain Investigation

GEMXIT helps organisations investigate SpoofedDomain, EmailEvents, AuthenticationDetails, EmailAuthenticationResults, DMARC failures, spoofed email, phishing attempts, suspicious delivery and user click activity.

AuthenticationDetails, DMARC Failures and KQL Hunting

Defenders should compare SpoofedDomain values with AuthenticationDetails, SPF, DKIM, DMARC, sender fields, delivery actions and UrlClickEvents to understand whether an email was spoofed, misconfigured or malicious.