Spoof attempts with auth failure

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This query helps in checking for spoofing attempts on the domain with Authentication failures

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	5971f2e7-1bb2-4170-aa7a-577ed8a45c72
Tactics	InitialAccess
Techniques	T1566
Required Connectors	MicrosoftThreatProtection
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Email%20and%20Collaboration%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml)

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
EmailEvents	DetectionMethods contains "spoof"	✓	✗	✓

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries