Listen to this Post
Microsoft Defender XDR is expanding its advanced hunting capabilities with two new tables: CampaignInfo and FileMaliciousContentInfo. These tables enhance threat detection and analysis for Defender for Office 365.
- CampaignInfo – Contains details about email campaigns identified by Defender for Office 365.
- Schema: https://lnkd.in/dgPSHZd8
- FileMaliciousContentInfo – Provides information on malicious files detected in SharePoint Online, OneDrive, and Teams.
- Schema: https://lnkd.in/dMqs-qgv
Public Preview: Early June 2025
General Availability: Early July 2025
Source: M365 Message Center (MC1088729)
You Should Know:
1. Querying CampaignInfo Table (KQL Example)
CampaignInfo | where CampaignId == "12345-abcd-6789" | project Timestamp, Sender, RecipientCount, Subject
Explanation:
- Retrieves campaign details by ID.
- Useful for tracking phishing or bulk malicious email campaigns.
2. Analyzing FileMaliciousContentInfo (KQL Example)
FileMaliciousContentInfo | where FileName contains "invoice" | summarize MaliciousCount = count() by FileType
Explanation:
- Identifies malicious files with “invoice” in the name.
- Groups results by file type (e.g., PDF, EXE).
3. Automating Alerts with Defender API
Fetch malicious files via API
$headers = @{
"Authorization" = "Bearer $accessToken"
"Content-Type" = "application/json"
}
$response = Invoke-RestMethod -Uri "https://api.security.microsoft.com/v1.0/fileMaliciousContentInfo" -Method Get -Headers $headers
$response.value | Format-Table -AutoSize
Use Case:
- Automate threat intelligence gathering.
4. Hunting for Multi-Stage Attacks
CampaignInfo | join (FileMaliciousContentInfo) on $left.CampaignId == $right.CampaignId | where FileSeverity == "High"
Explanation:
- Correlates email campaigns with malicious file drops.
5. Exporting Data for SIEM Integration
Export KQL results to CSV
az security alert list --query "[].{Name:displayName, Severity:severity}" --output table > alerts.csv
Use Case:
- Forward Defender XDR logs to Splunk/Sentinel.
What Undercode Say:
Microsoft Defender XDR continues to evolve, providing deeper visibility into email-based threats and malicious file activities. Security teams should leverage these new tables to:
– Track phishing campaigns more effectively.
– Detect malicious files in cloud storage.
– Automate threat hunting with KQL and APIs.
Relevant Commands for Extended Analysis:
Check file hashes against VirusTotal
curl -X GET "https://www.virustotal.com/api/v3/files/{hash}" -H "x-apikey: YOUR_API_KEY"
Monitor Defender logs in real-time
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -MaxEvents 10
Prediction:
As Defender XDR matures, expect tighter integration with Azure Sentinel and more AI-driven threat correlation features.
Expected Output:
- Enhanced threat hunting with new KQL tables.
- Automated workflows for SOC efficiency.
- Deeper cloud-based file security analysis.
IT/Security Reporter URL:
Reported By: Markolauren Defenderxdr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
