Defender for Office 365 - Authentication Details
MDO Authentication Details
Query
EmailEvents |where Timestamp > ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "contoso.com"
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames
| evaluate bag_unpack(AR)
| where SPF == "fail"About this query
Defender for Office 365 - Authentication Details
Query Information
Description
Use the below queries to get Authentication details from e-mail send thorugh Microsoft Defender for Office 365
References
Microsoft 365 Defender
Check for spoofing attempts on the domain with SPF fails
Explanation
This query is used to check for spoofing attempts on a specific domain (contoso.com) within the last 24 hours. It retrieves email events that contain the keyword "spoof" in the detection methods and have a sender domain of "contoso.com". The query then projects specific fields such as timestamp, authentication details, network message ID, email direction, subject, sender address, sender IP address, threat types, detection methods, and threat names. It also unpacks the authentication details and filters the results to only include events where SPF (Sender Policy Framework) fails.
Details

Alex Verboon
Released: November 2, 2023
Tables
Keywords
Operators