Retiring and updating columns in the advanced hunting EmailEvents and EmailAttachmentInfo tables

We’ve streamlined our threat detection information better, replacing four separate columns for malware and phishing verdict information with three new columns that can accommodate spam and other threat types. This change widens our ability to give you more information about the type of email threat beyond malware and phishing.

Key Points:

  • Timing: 
    • New columns are available now
    • Old columns to be retired on March 1st 2021
  • Action: Review/update existing queries and rules

How this will effect your organization:

After this change, the following changes will be made to the column names:

New Column Mapping to Previous Columns Description
ThreatTypes MalwareFilterVerdict | PhishFilterVerdict Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats
DetectionMethods MalwareDetectionMethod | PhishDetectionMethod Technologies used to detect threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage. As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection technology used for Spam verdicts.
ThreatNames New JSON of technology used to detect malware, phishing, or other threats found in the email.

If you want to look for specific threats, you should use the ThreatTypes column. These new columns will be empty if there are no threats. They will NO longer be populated values like with “Null”, “Not phish”, or “Not malware”.

Here is an example comparing the values in the old and new columns:

Columns Values
Old columns


“Anti-spoof: external domain”




Not malware
New columns


Phish, Spam



{“Phish”:“Anti-spoof: external domain”,”Spam”:“DomainList”}

IMPORTANT: In March 2020, we will be retiring the following columns in the EmailEvents table and EmailAttachmentInfo of the advanced hunting schema for Microsoft 365 Defender:


What you can do to prepare:

Please make sure to review and update all your saved queries, custom detection rules, and queries you run using the API, to work with the new columns.

For example:


| where Timestamp > ago(1h)

| where MalwareFilterVerdict == “Malware” or PhishFilterVerdict == “Phish”

Can be updated to:


| where Timestamp > ago(1h)

| where ThreatTypes has “Malware” or ThreatTypes has “Phish”

Message ID: MC237350

No comments yet

Leave a Reply

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: