ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • Phishing Investigation

The Disney Email Wasn’t From Disney

The email looked legitimate.

The Disney branding looked real. The layout looked polished. The message sounded calm, professional and believable.

It claimed there was an issue renewing a Disney subscription and urged the recipient to update their information to avoid interruption.

At first glance, it looked convincing.

But one detail broke the illusion completely.

The sender was MembershipCenterD+ <adu.apps@adu.ac.ae>.

Not Disney. Not a Disney-owned domain. Not even remotely related.

This Agent Foskett investigation follows a real-world phishing email using Microsoft Defender XDR telemetry, sender analysis, redirect inspection and KQL hunting techniques.

Discuss your environment Back to Investigation Hub
Agent Foskett Disney phishing email investigation using Microsoft Defender XDR
Briefing summary

A Microsoft Defender XDR investigation into a fake Disney subscription renewal email, sender mismatch, suspicious redirects, SendGrid tracking links and phishing infrastructure.

Inspect sender identity
Review redirect chains
Hunt with EmailEvents and UrlClickEvents
🚨 The logo looked real. The sender did not.
Modern phishing is no longer easy to spot by design alone. The investigation starts behind the branding, inside the sender, authentication and URL telemetry.
Book a security review →

What happened

A subscription renewal email arrived claiming to be from Disney. It advised that renewal had failed and requested updated information to maintain access. The message looked professional, but the sender and links told a different story.
The email looked believable The branding, wording and layout were designed to feel like a normal subscription notice.
The sender broke the story The message claimed to be Disney, but the sender address used an unrelated domain: adu.ac.ae.
The links needed inspection The call-to-action used tracking and redirect infrastructure rather than a clear Disney-owned destination.

Why this kind of phishing works

Attackers do not need a perfect technical exploit when they can exploit trust. Subscription services are effective lures because users already expect billing emails, renewal notices and account prompts.
Branding creates confidence Users recognise the logo before they inspect the sender, headers or links.
Urgency reduces thinking time “Update needed” and “maintain uninterrupted access” are designed to push fast action.
Redirects hide the destination Tracking links and redirect chains can obscure the final landing page from the user.

First hunt: investigate the sender in EmailEvents

Start by reviewing messages that mention Disney, subscriptions or account updates. Then compare the visible sender with the real sending domain and authentication details.
disney-phishing-sender-investigation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("Disney", "subscription", "renewal", "update")
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          AuthenticationDetails,
          NetworkMessageId
| order by Timestamp desc
What to review Compare display name, SenderFromAddress, SenderMailFromAddress and the domain used to send the message.
Why it matters Brand impersonation often succeeds because the visible display name looks more important than the real sending domain.
Best next pivot Use NetworkMessageId to connect the email to URL click telemetry and campaign activity.

Second hunt: inspect authentication details

A message can look professional and still fail trust checks. AuthenticationDetails helps investigate SPF, DKIM, DMARC and composite authentication signals.
email-authenticationdetails-phishing-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromAddress has "adu.ac.ae"
   or Subject has_any ("subscription", "renewal", "update")
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          Subject,
          DeliveryAction,
          AuthenticationDetails
| order by Timestamp desc
What to review Look for DMARC failures, alignment issues, spoofing signals or senders that do not match the brand.
Why it matters Authentication signals help separate trusted brand identity from a message that only looks trusted.
Best next pivot Move from sender and authentication evidence into URL investigation.

Third hunt: review URL clicks and redirects

The phishing email contained links that used external tracking and redirect infrastructure. UrlClickEvents can show whether a user clicked, when it happened and what URL was involved.
phishing-urlclickevents-redirect-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
UrlClickEvents
| where Timestamp > ago(30d)
| where Url has_any ("sendgrid.net", "ziezokleurenstijl", "zug")
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          NetworkMessageId
| order by Timestamp desc
What to review Look for users who clicked, allowed clicks, blocked clicks, redirect URLs and repeated destination patterns.
Why it matters A tracking URL may not be the final destination. The real risk is often hidden further down the redirect chain.
Best next pivot Correlate click events back to EmailEvents using NetworkMessageId.

Fourth hunt: find similar subscription phishing campaigns

Attackers rarely send only one message. Once a suspicious pattern appears, search for similar subjects, sender domains and campaign language across the tenant.
subscription-phishing-campaign-hunt.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("subscription", "renewal", "update needed", "billing")
| summarize Count=count() by SenderFromAddress, SenderMailFromAddress, Subject, DeliveryAction
| order by Count desc

What this investigation shows

The email did not fail because it looked bad. It failed because the sender identity, redirect behaviour and trust chain did not match the brand being impersonated.
Branding is not identity A logo can be copied. A trusted sender relationship cannot be assumed.
Users need context Awareness training works better when users see real examples that nearly fooled them.
Telemetry confirms suspicion EmailEvents, AuthenticationDetails and UrlClickEvents provide the evidence behind the gut feeling.

Final thoughts from Agent Foskett

The phishing email looked better than many legitimate corporate emails.

But underneath the branding, the sender identity failed, the infrastructure looked suspicious and the redirect chain did not make sense.

The investigation did not start with malware.

It started with one simple question:

Why would Disney send billing emails from adu.ac.ae?

That one observation changed everything.

Continue your investigation

Related Agent Foskett briefings that continue the same email security investigation path.
The Email Came From Me Investigating spoofed sender identity and why display names can mislead users.
DMARC Failed But Delivered Why authentication failure does not always mean the message disappeared.
SpoofedDomain EmailEvents KQL Hunting sender impersonation using Microsoft Defender XDR EmailEvents.
Need help reading the story behind your email telemetry?
GEMXIT helps organisations investigate Microsoft Defender XDR, email security signals, KQL hunting results and real-world phishing risk.
Contact GEMXIT →
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The Disney Email Wasn’t From Disney

This Agent Foskett investigation explains how Microsoft Defender XDR, EmailEvents, UrlClickEvents, AuthenticationDetails and KQL can be used to investigate fake subscription renewal phishing emails and sender mismatch indicators.

Microsoft Defender XDR Phishing Investigation

GEMXIT investigates brand impersonation, phishing email telemetry, sender mismatch, redirect chains, SendGrid tracking abuse, suspicious URLs and Microsoft 365 email security signals across Defender XDR environments.

EmailEvents, UrlClickEvents and KQL Threat Hunting

Example investigation areas include SenderFromAddress, SenderMailFromAddress, AuthenticationDetails, DMARC, SPF, DKIM, NetworkMessageId, UrlClickEvents, redirect analysis and phishing campaign hunting workflows.