M365 Archive
Back to latest version
Comparing Jun 5, 2025 latest (Oct 6, 2025) Swap

MC1088729 - Microsoft Defender for Office 365: Two new data tables in Advanced hunting (preview)

Message Center

Metadata at latest

Message ID

MC1088729

View in Message Center

Last Updated

Oct 6, 2025

Published Jun 5, 2025

Service

Microsoft Defender XDR

Tag

Updated message
New feature
User impact
Admin impact

Metadata changes

Tags
Admin impact, New feature, User impactAdmin impact, New feature, Updated message, User impact
End date
Sep 30, 2025Jan 5, 2026

Body changes

removed textadded text

Updated October 6, 2025: We have updated the content. Thank you for your patience. 

Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema.

When this will happen:

Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025.

General Availability (Worldwide, GCC, GCC High, DoD): General Availability: We will begin rolling out early July 2025 and expect to complete by late July 2025.November 2025, covering both Advanced Hunting and Sentinel availability.

How this will affect your organization:

The new tables will be available by default. SOC teams will be able to see two new data tables in Defender > Advanced hunting > Email & collaboration schema.

1. CampaignInfo

The CampaignInfo table in the Advanced hunting schema contains information about email campaigns identified by Defender for Office 365. The table will have this schema to help the security teams to investigate threats targeting their users and organization:

admin controls

2. FileMaliciousContentInfo

The FileMaliciousContentInfo table in the Advanced hunting schema contains information about files that were identified as maliciousprocessed by Defender for Office 365 in Microsoft SharePoint Online, Microsoft OneDrive, and Microsoft Teams. The table will have this schema to help the security teams to investigate threats targeting their users and organization:

admin controls

Here are a few sample queries to get you started:

//Emails sent as part of phishing campaigns

CampaignInfo

| where Timestamp > ago(7d)

| where CampaignType has "Phish"

| project NetworkMessageId, RecipientEmailAddress, CampaignName, CampaignId, CampaignType

| join (EmailEvents | where Timestamp > ago(7d)) on NetworkMessageId, RecipientEmailAddress

| project Timestamp, NetworkMessageId, Subject, SenderMailFromAddress, RecipientEmailAddress, LatestDeliveryLocation, LatestDeliveryAction, CampaignId, CampaignName, CampaignType

//Files identified as Malware modified in last 1 day

FileMaliciousContentInfo

| where ThreatTypes == "Malware"

| where LastModifiedTime > ago(1d)

What you need to do to prepare:

This rollout will happen automatically by the specified dates with no admin action required before the rollout. Review your current configuration to assess the impact on your organization. You may want to notify your users about this change and update your relevant documentation.

After the Public Preview rollout, we will update this post with new documentation.