check before: 2025-06-01
Product:
Defender, Defender for Office 365, Defender XDR, OneDrive, SharePoint, Teams
Platform:
Online, US Instances, World tenant
Status:
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Microsoft Defender for Office 365 will add two new Advanced hunting data tables, CampaignInfo and FileMaliciousContentInfo, rolling out from June to November 2025. These tables help security teams investigate email campaigns and malicious files across email, SharePoint, OneDrive, and Teams, with no admin action needed.
Details:
Updated October 6, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema.
[When this will happen:]
Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025.
General Availability (Worldwide, GCC, GCC High, DoD): General Availability: We will begin rolling out early July 2025 and expect to complete by late November 2025, covering both Advanced Hunting and Sentinel availability.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-06
updated:
2025-10-06
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Introduction of new data tables in Advanced hunting
The addition of CampaignInfo and FileMaliciousContentInfo tables may lead to confusion among users who are not familiar with the new features, potentially resulting in misinterpretation of data and delayed response to threats.
- roles: Security Operations Center (SOC) Analysts, IT Support Staff
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-office-365-two-new-data-tables-in/ba-p/3651230
Automatic rollout of new features
The automatic rollout without prior preparation may disrupt existing workflows and processes, as users may not be aware of the changes, leading to inefficiencies in threat investigation and response.
- roles: Security Operations Center (SOC) Analysts, End Users
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-office-365-two-new-data-tables-in/ba-p/3651230
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you're a detective working on a case. In your toolkit, you have a magnifying glass and a notebook. These tools help you examine clues and piece together the story of what happened. Similarly, Microsoft Defender for Office 365 is like a detective's toolkit for cybersecurity teams. It helps them investigate and understand potential threats to their organization's email and file systems.
Now, Microsoft is adding two new tools to this digital detective kit: the CampaignInfo and FileMaliciousContentInfo data tables. Think of these tables as new pages in your detective notebook, specifically designed to help you track down cyber threats.
The CampaignInfo table is like a page where you jot down details about suspicious email campaigns. Just as a detective might track a series of related crimes, this table helps security teams see patterns in phishing emails, which are like fraudulent letters trying to trick people. By examining these patterns, teams can better understand and stop these threats.
The FileMaliciousContentInfo table is like a page where you note down information about suspicious files. Imagine you're investigating a series of break-ins, and you find fingerprints at each scene. This table helps track files that might contain harmful content, like malware, across platforms such as SharePoint, OneDrive, and Teams. It's like identifying and following the trail of those fingerprints to catch the culprit.
These new tables will be available automatically, so there's no need for anyone to take action to start using them. Just like a detective doesn't need to ask for permission to use a new tool once it's in their kit, security teams can begin using these tables as soon as they appear. They can run queries, which are like asking specific questions, to find out more about potential threats.
For example, they can ask, "Have there been any phishing emails sent in the last week?" or "Were there any files identified as malware in the last day?" These questions help them focus their investigation and protect their organization more effectively.
In summary, these new data tables in Microsoft Defender for Office 365 are like adding new pages to a detective's notebook, giving security teams better tools to track and understand cyber threats without needing to change anything on their end.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-10-06 | MC Messages | Updated September 3, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. [When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): General Availability: We will begin rolling out early July 2025 and expect to complete by late November 2025, covering both Advanced Hunting and Sentinel availability. | Updated October 6, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. [When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): General Availability: We will begin rolling out early July 2025 and expect to complete by late November 2025, covering both Advanced Hunting and Sentinel availability. |
| 2025-10-06 | MC How Affect | The new tables will be available by default. SOC teams will be able to see two new data tables in Defender > Advanced hunting > Email & collaboration schema.
1. CampaignInfo The CampaignInfo table in the Advanced hunting schema contains information about email campaigns identified by Defender for Office 365. The table will have this schema to help the security teams to investigate threats targeting their users and organization: 2. FileMaliciousContentInfo The FileMaliciousContentInfo table in the Advanced hunting schema contains information about files that were identified as malicious by Defender for Office 365 in Microsoft SharePoint Online, Microsoft OneDrive, and Microsoft Teams. The table will have this schema to help the security teams to investigate threats targeting their users and organization: Here are a few sample queries to get you started: //Emails sent as part of phishing campaigns CampaignInfo | where Timestamp > ago(7d) | where CampaignType has "Phish" | project NetworkMessageId, RecipientEmailAddress, CampaignName, CampaignId, CampaignType | join (EmailEvents | where Timestamp > ago(7d)) on NetworkMessageId, RecipientEmailAddress | project Timestamp, NetworkMessageId, Subject, SenderMailFromAddress, RecipientEmailAddress, LatestDeliveryLocation, LatestDeliveryAction, CampaignId, CampaignName, CampaignType //Files identified as Malware modified in last 1 day FileMaliciousContentInfo | where ThreatTypes == "Malware" | where LastModifiedTime > ago(1d) | The new tables will be available by default. SOC teams will be able to see two new data tables in Defender > Advanced hunting > Email & collaboration schema.
1. CampaignInfo The CampaignInfo table in the Advanced hunting schema contains information about email campaigns identified by Defender for Office 365. The table will have this schema to help the security teams to investigate threats targeting their users and organization: 2. FileMaliciousContentInfo The FileMaliciousContentInfo table in the Advanced hunting schema contains information about files that were processed by Defender for Office 365 in Microsoft SharePoint Online, Microsoft OneDrive, and Microsoft Teams. The table will have this schema to help the security teams to investigate threats targeting their users and organization: Here are a few sample queries to get you started: //Emails sent as part of phishing campaigns CampaignInfo | where Timestamp > ago(7d) | where CampaignType has "Phish" | project NetworkMessageId, RecipientEmailAddress, CampaignName, CampaignId, CampaignType | join (EmailEvents | where Timestamp > ago(7d)) on NetworkMessageId, RecipientEmailAddress | project Timestamp, NetworkMessageId, Subject, SenderMailFromAddress, RecipientEmailAddress, LatestDeliveryLocation, LatestDeliveryAction, CampaignId, CampaignName, CampaignType //Files identified as Malware modified in last 1 day FileMaliciousContentInfo | where ThreatTypes == "Malware" | where LastModifiedTime > ago(1d) |
| 2025-10-06 | MC Last Updated | 09/03/2025 22:16:07 | 2025-10-06T16:17:50Z |
| 2025-10-06 | MC Summary | Microsoft Defender for Office 365 will add two new Advanced hunting data tables—CampaignInfo and FileMaliciousContentInfo—starting June 2025, with general availability by November 2025. These tables help security teams investigate email campaigns and malicious files across Microsoft 365 services, requiring no admin action. | Microsoft Defender for Office 365 will add two new Advanced hunting data tables, CampaignInfo and FileMaliciousContentInfo, rolling out from June to November 2025. These tables help security teams investigate email campaigns and malicious files across email, SharePoint, OneDrive, and Teams, with no admin action needed. |
| 2025-09-04 | MC Last Updated | 07/29/2025 17:23:42 | 2025-09-03T22:16:07Z |
| 2025-09-04 | MC Messages | Updated July 29, 2025: We have updated the timeline. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. [When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early July 2025 and expect to complete by late August 2025 (previously late July). | Updated September 3, 2025: We have updated the content. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. [When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): General Availability: We will begin rolling out early July 2025 and expect to complete by late November 2025, covering both Advanced Hunting and Sentinel availability. |
| 2025-09-04 | MC End Time | 10/06/2025 09:00:00 | 2026-01-05T08:00:00Z |
| 2025-09-04 | MC Summary | Microsoft Defender for Office 365 will add two new Advanced hunting data tables—CampaignInfo and FileMaliciousContentInfo—rolling out from June to August 2025. These tables help security teams investigate email campaigns and malicious files across email, SharePoint, OneDrive, and Teams, with no admin action needed. | Microsoft Defender for Office 365 will add two new Advanced hunting data tables—CampaignInfo and FileMaliciousContentInfo—starting June 2025, with general availability by November 2025. These tables help security teams investigate email campaigns and malicious files across Microsoft 365 services, requiring no admin action. |
| 2025-07-30 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
| 2025-07-30 | MC Summary | Microsoft Defender for Office 365 is introducing two new data tables, CampaignInfo and FileMaliciousContentInfo, in Advanced hunting. Public Preview starts in early June 2025, with General Availability in early July 2025. These tables will help SOC teams investigate email campaigns and malicious files. No admin action is required. | Microsoft Defender for Office 365 will add two new Advanced hunting data tables—CampaignInfo and FileMaliciousContentInfo—rolling out from June to August 2025. These tables help security teams investigate email campaigns and malicious files across email, SharePoint, OneDrive, and Teams, with no admin action needed. |
| 2025-07-30 | MC Last Updated | 06/06/2025 01:43:22 | 2025-07-29T17:23:42Z |
| 2025-07-30 | MC Messages | Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema.
[When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early July 2025 and expect to complete by late July 2025. | Updated July 29, 2025: We have updated the timeline. Thank you for your patience.
Coming soon for Microsoft Defender for Office 365: We are excited to announce the new CampaignInfo and FileMaliciousContentInfo data tables in Advanced hunting under Email & collaboration schema. [When this will happen:] Public Preview: We will begin rolling out early June 2025 and expect to complete by late June 2025. General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out early July 2025 and expect to complete by late August 2025 (previously late July). |
| 2025-07-30 | MC Title | Microsoft Defender for Office 365: Two new data tables in Advanced hunting (preview) | (Updated) Microsoft Defender for Office 365: Two new data tables in Advanced hunting (preview) |
| 2025-07-30 | MC End Time | 09/30/2025 09:00:00 | 2025-10-06T09:00:00Z |
Last updated 4 weeks ago ago
