Query Details

Defender for Office 365 - Authentication Details

MDO Authentication Details

Query

EmailEvents |where Timestamp > ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "contoso.com" 
| project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames 
| evaluate bag_unpack(AR) 
| where SPF == "fail"

About this query

Defender for Office 365 - Authentication Details

Query Information

Description

Use the below queries to get Authentication details from e-mail send thorugh Microsoft Defender for Office 365

References

Microsoft 365 Defender

Check for spoofing attempts on the domain with SPF fails

Explanation

This query is used to check for spoofing attempts on a specific domain (contoso.com) within the last day. It retrieves email events that have the "spoof" detection method and extracts authentication details. The query then filters for emails with SPF (Sender Policy Framework) authentication that has failed.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 23, 2023

Tables

EmailEvents

Keywords

EmailEventsTimestampDetectionMethodsSenderFromDomainARNetworkMessageIdEmailDirectionSubjectSenderFromAddressSenderIPv4ThreatTypesThreatNamesSPF

Operators

whereTimestamp>ago(1d)andDetectionMethodscontains"spoof"SenderFromDomainhas"contoso.com"projectAR=parse_json(AuthenticationDetails)NetworkMessageIdEmailDirectionSubjectSenderFromAddressSenderIPv4ThreatTypesThreatNamesevaluatebag_unpack(AR)SPF=="fail"

Actions

GitHub