KQL Search

Query Details

HomeAI ToolsDevice Query

Email Gmail Sender With Different Display Names

Query

# *Gmail Sender with Multiple Display Names*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1566| Phishing | https://attack.mitre.org/tactics/T1566/ |
| T1656 | Impersonation | https://attack.mitre.org/tactics/T1656/ |

#### Description
Detects a single Gmail sender address using multiple distinct display names within a short timeframe (1 hour). This behavior can indicate an attempt at impersonation, phishing, or spam campaigns where an attacker tries to appear as different entities from the same compromised or controlled email account.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References

## Defender XDR
```KQL
let suspiciousSender = EmailEvents
| where SenderFromAddress endswith "gmail.com"
| where Timestamp > ago(2h)
| where EmailDirection == "Inbound"
| summarize 
    DistinctDisplayNames = dcount(SenderDisplayName),
    DisplayNames = make_set(SenderDisplayName)
by SenderFromAddress
| where DistinctDisplayNames > 1
| order by DistinctDisplayNames desc;
EmailEvents
| join kind=inner (
    suspiciousSender
    | project SenderFromAddress) on SenderFromAddress 
```

Explanation

This query is designed to identify potential phishing or impersonation attempts by detecting a single Gmail sender address that uses multiple different display names within a short period (1 hour). Here's a simple breakdown of what the query does:

  1. Filter Emails: It starts by looking at email events where the sender's email address ends with "gmail.com", indicating it's from a Gmail account. It only considers emails received in the last two hours and that are inbound (coming into the organization).

  2. Count Display Names: For each Gmail sender address, it counts how many different display names are used. A display name is the name shown to the recipient, which can be different from the actual email address.

  3. Identify Suspicious Activity: It identifies Gmail addresses that have used more than one display name in the specified timeframe. This is suspicious because it could indicate that someone is trying to impersonate different people using the same email address.

  4. Output Results: Finally, it lists these suspicious Gmail addresses, ordered by the number of different display names they used, and joins this information back with the original email events to provide context on these potentially malicious activities.

Overall, this query helps security teams detect and investigate possible phishing or impersonation attacks originating from Gmail accounts.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 22, 2025

Tables

EmailEvents

Keywords

EmailEventsSenderDisplayNameTimestampEmailDirectionSenderFromAddress

Operators

letendswithagosummarizedcountmake_setbyorder byjoinkindproject

Actions