MDO Hunting - Email Auth Failures (SPF/DKIM/DMARC Spoofing)
MDO 07 Email Auth Failures Spoofing
Query
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| extend Auth = parse_json(AuthenticationDetails)
| extend SPF = tostring(Auth.SPF), DKIM = tostring(Auth.DKIM),
DMARC = tostring(Auth.DMARC), CompAuth = tostring(Auth.CompAuth)
| where DMARC == "fail" or (SPF == "fail" and DKIM == "fail")
| summarize Messages = count(),
Recipients = dcount(RecipientEmailAddress),
Delivered = countif(DeliveryAction == "Delivered")
by SenderFromDomain, SPF, DKIM, DMARC, CompAuth
| where Delivered > 0
| sort by Messages descExplanation
This query is designed to detect email spoofing attempts by analyzing inbound email authentication results. It focuses on identifying emails that have failed DMARC (Domain-based Message Authentication, Reporting & Conformance) checks, which are strong indicators of domain spoofing or Business Email Compromise (BEC).
Here's a simple breakdown of what the query does:
-
Data Source: It uses email event data from Microsoft Threat Protection.
-
Time Frame: It looks at emails received in the last 7 days.
-
Email Direction: It filters for inbound emails only.
-
Authentication Details: It extracts and checks the results of email authentication methods: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC.
-
Failure Detection: It identifies emails where DMARC failed, or both SPF and DKIM failed.
-
Summarization: It counts the number of such messages, the distinct number of recipients, and how many of these emails were actually delivered to inboxes.
-
Focus on Delivered Emails: It specifically highlights cases where spoofed emails were delivered, suggesting a need for stronger anti-spoofing measures.
-
Sorting: It sorts the results by the number of messages, prioritizing domains with the most spoofing attempts.
Overall, this query helps organizations identify and respond to potential email spoofing threats by highlighting cases where spoofed emails have bypassed existing security measures and reached user mailboxes.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics