ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Email Security • DMARC • SMTP Identity

The Email Came From Me

The message looked legitimate. It came from the same address it was sent to. But there was no breach, no suspicious login and no mailbox compromise. It was identity spoofing at protocol level — and a reminder that trust without verification is exactly what attackers exploit.

This is why stronger identity and access enforcement matters beyond sign-ins alone. Email trust is part of identity too.

Discuss your environment Back to briefings
Agent Foskett Friday Cyber Briefings
Briefing summary

The email appeared to come from the same address it was sent to. But no account had been breached. The real issue was spoofing — a forged identity being trusted because email authentication and enforcement were not strong enough.

No unusual sign-ins
No mailbox compromise
Spoofed domain identity

What happened

The message looked legitimate, but the trust behind it was fake.
The email looked real It appeared to come from the same address it was delivered to. It looked like a normal DocuSign-style notification with a button inviting a click.
The hidden clue The link behind the button redirected through unrelated domains. That was the giveaway. The visible identity looked safe, but the path behind it did not.
What it was not No breach. No suspicious mailbox access. No login alert. No account compromise. The correct conclusion was impersonation, not intrusion.

What we checked before panicking

Good investigations verify signals first, then decide whether the issue is compromise or impersonation.
identity-and-email-checks.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
  38. 38
  39. 39
  40. 40
  41. 41
  42. 42
  43. 43
  44. 44
  45. 45
let TargetUser = "user@yourdomain.com";
let RecentSignins =
SigninLogs
| where UserPrincipalName =~ TargetUser
| where TimeGenerated > ago(7d)
| project
                            TimeGenerated,
                            UserPrincipalName,
                            IPAddress,
                            AppDisplayName,
                            ResultType,
                            Location = strcat(tostring(LocationDetails.city), ", ", tostring(LocationDetails.countryOrRegion));

let InboxRuleActivity =
OfficeActivity
| where UserId =~ TargetUser
| where Operation in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
| project
                            TimeGenerated,
                            UserId,
                            Operation,
                            ClientIP;

let MailboxSuspicion =
EmailEvents
| where RecipientEmailAddress =~ TargetUser
| where SenderFromAddress =~ TargetUser
| project
                            Timestamp,
                            SenderFromAddress,
                            RecipientEmailAddress,
                            Subject,
                            AuthenticationDetails,
                            ThreatTypes,
                            UrlCount;

RecentSignins
| union InboxRuleActivity
| order by TimeGenerated desc
Identity checks No unusual Microsoft Entra ID sign-ins, no suspicious IP pattern and no sign that the account itself had been used to send the message.
Mailbox checks No forwarding rules, no inbox tampering, no hidden mailbox persistence. The mailbox was not the attack path.
Mindset shift That is the key investigation moment: stop chasing compromise and start testing whether the identity was simply forged.

Why this works

Attackers do not always need to hack accounts. Sometimes they just need to borrow your identity.
SMTP trust is easy to abuse Attackers can forge a sender address and borrow the appearance of your identity. That is enough to trigger trust in people who think familiar means safe.
The instinct attackers rely on “If it came from me, it must be safe.” That split-second assumption is often enough to get a click.
Headers matter When the message headers, sending infrastructure and redirect chain do not align with the claimed sender, the email is telling you the identity is fake even if the From field looks correct.

The controls that actually matter

This is where most environments fall short: authentication without enforcement is not enough.
SPF SPF defines which mail servers are authorised to send on behalf of your domain. It helps, but by itself it does not guarantee trust or stop spoofing cleanly.
DKIM DKIM cryptographically signs outbound mail to prove authenticity and protect message integrity. It is a strong signal, but not the final enforcement layer.
DMARC DMARC is the policy control that tells the receiving system what to do when SPF or DKIM alignment fails. This is where trust enforcement actually happens.
Without enforcement If SPF fails but DMARC is not enforced, spoofed messages can still land. If DKIM is missing but policy is weak, the receiver may still trust what it should not.
Security is trust enforcement Email security is no longer just about spam filtering. It is about proving identity properly and defining what happens when identity fails verification.
The real test If an email came from your own domain today, would your environment trust it automatically — or reject it because the identity could not be verified?
If DMARC isn’t set to reject,
you don’t control your identity. Attackers do.
Contact GEMXIT

Final thought

Identity is not just about sign-ins. It is also about whether the outside world can trust your domain.
At GEMXIT We help organisations look beyond the obvious and verify whether identity, trust and enforcement are actually working the way they think they are. If you want help reviewing this properly, see our Cyber Security services.
Agent Foskett mindset The email looked legitimate because identity was not being verified strongly enough. Trust without enforcement is not security.

If your environment has Microsoft security tools but your mail identity controls are still weak, the next step is closing that trust gap properly. 👉 Review Microsoft security operations and identity protection

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Email Spoofing and Domain Impersonation Explained

This article explains how spoofed email can appear to come from your own address even when there has been no compromise, and why identity impersonation is still highly effective.

Why SPF, DKIM and DMARC Matter

SPF and DKIM help validate email sources, but DMARC provides the enforcement layer that tells the world how to treat messages that fail identity checks.

Why DMARC Reject Protects Trust

If DMARC is not enforced, attackers can continue spoofing your domain and exploiting trust. Email security is no longer just filtering — it is trust enforcement.