[Introduction]
We’re expanding hunting capabilities in Microsoft Defender for Office 365 to improve visibility into external collaboration. Previously, hunting on external Teams messages was limited to those containing URLs. With this update, you can now hunt across all external Teams messages, regardless of URL presence, using the MessageEvents table in Advanced Hunting. This enhancement supports broader investigation scenarios and provides deeper insights into external communications.
[When this will happen:]
General Availability: Rollout begins late October 2025 and is expected to complete by mid-November 2025.
[How this affects your organization:]
- Who is affected: Admins using Microsoft Defender for Office 365 and Advanced Hunting to monitor Teams message activity.
- What will happen:
- You will be able to hunt across all external Teams messages, not just those containing URLs.
- The
MessageEventstable will surface more message metadata related to external conversations. - No changes to user experience.
- No configuration changes required; the feature is enabled by default.
[What you can do to prepare:]
- No action is required to enable this feature. However, you may want to:
- Review your existing hunting queries to take advantage of the expanded data.
- Communicate this update to your security operations team.
- Expect an increase in the volume of surfaced messages in the
MessageEventstable. - Refer to the documentation for query examples and schema details: Advanced Hunting - MessageEvents table
[Compliance considerations]
| Compliance Question | Explanation |
|---|---|
| Does the change store new customer data? | External message metadata is now stored even if no URL is present. This includes sender/recipient info, timestamps, and message context. |
No other compliance considerations identified. Review as appropriate for your organization.