Microsoft Defender for Office 365: Two new data tables in Advanced hunting (preview)

Microsoft Defender for Office 365 is introducing two new data tables, CampaignInfo and FileMaliciousContentInfo, in Advanced hunting. Public Preview starts in early June 2025, with General Availability in early July 2025. These tables will help SOC teams investigate email campaigns and malicious files. No admin action is required. Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. When this will happen: Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early July 2025 and expect to complete by late July 2025. How this will affect your organization: The new tables will be available by default. SOC teams will be able to see two new data tables in Defender > Advanced hunting > Email & collaboration schema. 1. CampaignInfo The CampaignInfo table in the Advanced hunting schema contains information about email campaigns identified by Defender for Office 365. The table will have this schema to help the security teams to investigate threats targeting their users and organization: View image in new tab 2. FileMaliciousContentInfo The FileMaliciousContentInfo table in the Advanced hunting schema contains information about files that were identified as malicious by Defender for Office 365 in Microsoft SharePoint Online, Microsoft OneDrive, and Microsoft Teams. The table will have this schema to help the security teams to investigate threats targeting their users and organization: Here are a few sample queries to get you started: //Emails sent as part of phishing campaigns CampaignInfo | where Timestamp > ago(7d) View image in new tab | where CampaignType has "Phish" | project NetworkMessageId, RecipientEmailAddress, CampaignName, CampaignId, CampaignType | join (EmailEvents | where Timestamp > ago(7d)) on NetworkMessageId, RecipientEmailAddress | project Timestamp, NetworkMessageId, Subject, SenderMailFromAddress, RecipientEmailAddress, LatestDeliveryLocation, LatestDeliveryAction, CampaignId, CampaignName, CampaignType //Files identified as Malware modified in last 1 day FileMaliciousContentInfo | where ThreatTypes == "Malware" | where LastModifiedTime > ago(1d) What you need to do to prepare: This rollout will happen automatically by the […]

The post Microsoft Defender for Office 365: Two new data tables in Advanced hunting (preview) appeared first on M365 Admin.