MVP Champ Spotlight- Pierre Thoor

Pierre is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: FAQ | Most Valuable Professionals. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs. Read the interview below!

Figure 1: Picture of Pierre celebrating the publication of his book: Microsoft Defender for Identity in Depth. Link to check it out: https://www.amazon.com/Microsoft-Defender-Identity-Depth-cyberattack/dp/B0DK1HW2KX

Personal Story and Credibility

Q: Tell us a bit about your role and background: how did you become focused on email security and Microsoft Defender for Office? 

A: I began my career in 3rd line Windows Server support, where I first developed an interest in cybersecurity through Windows patch management. A few years later, I became more focused on Microsoft Exchange Server and securing mail flow. As the industry moved into Office 365 and Exchange Online, email protection kept improving, but it also became clear to me that email remained the number one attack vector. Most incident response cases I was involved in had a phishing or malicious email component. That’s when I realized that strengthening defenses around email could reduce a huge percentage of overall risk. Microsoft Defender for Office (MDO) naturally became my focus, not just because it protects email, but because it connects detection, protection, and response across the Microsoft 365 ecosystem. Over time, I’ve worked with everything from MDO deployment strategies and securing Microsoft 365 and Azure services to building SOC playbooks, and it’s grown into a real passion area for me. 

Q: What’s been your proudest moment as a security practitioner where MDO played a critical role? 

A: My proudest moments are when I can clearly see that MDO has stopped something dangerous before it reached users. For example, watching a phishing campaign get blocked at scale and being able to trace that in the reporting gives real proof that the protections are working as intended. It’s not about one single incident, but about seeing the technology deliver measurable protection in day-to-day use. 

Blueprint 1: Deployment and Adoption Strategy 

Q: When organizations are just starting with MDO, what are the first three steps you recommend for a successful rollout? 

A: I usually recommend three key steps for a successful rollout: 

• Start with email authentication and baseline hygiene. Make sure SPF, DKIM, and DMARC are properly configured, and that your MX records point to Exchange Online. This ensures that MDO has the right signals to work effectively. 

• Run a pilot with Preset Security Policies. Use Microsoft’s Preset Security Policies (Standard or Strict) instead of relying on the default built-in protections. The defaults are often mistaken for being “secure enough”, but they leave important gaps. Start with a smaller pilot group, validate the impact, and make sure you as an admin understand the order of precedence between preset and custom policies. This prevents misconfigurations when you scale out. 

• Leverage hunting and reporting early. Get familiar with the hunting tables in advanced hunting and the reporting capabilities in MDO. Even in the first 30–60 days, learning how to use Threat Explorer, submission reports, and campaign views will give you strong visibility and confidence in the rollout. 

Q: What common mistakes or misconceptions do you see teams make when deploying MDO? 

A: One of the most common mistakes I see is treating MDO as a “set it and forget it” product. As an SOC analyst or security administrator, you really need to understand the settings and continuously monitor what types of emails are entering your organization. 

Another common gap is not using the submission process effectively. Submitting false positives and false negatives is critical, because those signals feed directly back into Microsoft’s protection systems. The machine learning models behind MDO are continuously retrained on customer submissions, which means your input not only improves your own tenant’s protection but also strengthens detections globally. 

I also see organizations overlook the threat hunting side of MDO. Knowing the advanced hunting tables connected to email, such as EmailEvents, EmailUrlInfo, and EmailAttachmentInfo, is key for proactive defense. These give you the ability to trace campaigns, investigate suspicious patterns, and connect email telemetry with other Defender signals. 

Finally, many organizations still rely only on the Default Built-in Protection, instead of moving to Preset Security Policies (Standard or Strict) or creating custom ones. On top of that, administrators often don’t understand the policy precedence, and that lack of awareness can leave real gaps in how email is filtered and protected.

Q: Can you share your own checklist or framework for configuring MDO to get quick wins in the first 30–60 days? 

A: In the first 30–60 days, I focus on quick wins that build a strong foundation and give early visibility. My checklist looks like this: 

• Establish the foundation 

• Configure email authentication: SPF, DKIM, and DMARC. 

• Enable Preset Security Policies (Standard at minimum). If you’re using custom policies instead, make sure quarantine policies are in place. 

• Understand policy precedence and configure the Tenant Allow/Block List (TABL). 

• Secure collaboration and file sharing 

• Enable Safe Links and Safe Attachments for all users. 

• Turn on Zero-hour Auto Purge (ZAP) for Teams. 

• Prevent users from downloading malicious files in OneDrive, Teams, and SharePoint Online. 

• Set up administration and controls 

• Enable and understand Unified RBAC to control who can manage MDO and investigate emails in Threat Explorer. 

• Use Configuration Analyzer or the ORCA PowerShell module to validate your setup against best practices. 

• Build operational processes 

• Establish a clear submission process for false positives and false negatives. 

• Review Threat Explorer weekly to build familiarity with reporting and investigation. 

• Expand into hunting and alerting 

• Learn the key advanced hunting tables related to email. 

• Build custom KQL-based alerts in Defender XDR to fit your organization’s workflows. 

Blueprint 2: Operational Excellence 

Q: What features or policies have given your SOC team the biggest efficiency gains? 

A: The features that have given the biggest efficiency gains are Automated Investigation and Response (AIR) and adopting the Strict Preset Security Policies. 

With AIR, user-reported phishing emails automatically trigger an investigation playbook. The system checks details such as the sender, sending infrastructure, whether similar messages exist in the tenant, and if the campaign is already known. Safe submissions are automatically cleared, while risky ones are enriched with recommended remediation steps. This greatly reduces noise and makes investigations faster and more consistent. 

Moving to Strict Preset Policies also had a major impact. Instead of relying on the weaker default protections, Strict presets raise the security baseline and block more threats up front, which reduces the overall number of alerts and investigations needed.

Q: Could you walk us through one or two “playbooks” that your team uses to detect, respond, and remediate email threats? 

A: One of our main playbooks is for a compromised user or mailbox. It starts with an incident in Defender XDR, and then we trigger our automation built on Azure Durable Functions. The automation checks for unusual sign-ins in Entra ID, forces a password reset, revokes active tokens, and resets MFA methods. It also reviews mailbox rules for suspicious changes and if the user is blocked from sending email, sends an SMS to the end user with next steps, and finally logs all actions back into the incident for visibility. 

Blueprint 3: Driving Business Outcomes 

Q: How do you measure and report the value of MDO back to business stakeholders? 

A: We highlight MDO’s business value using the Microsoft Defender for Office 365 Overview dashboard, which provides clear, visual metrics, like threats blocked before delivery, items purged post-delivery via ZAP, and any “uncaught” threats. The dashboard also gives insights into phishing, malware, spam, impersonation detections, and risky allows. These visuals help business stakeholders quickly understand how email threats are being prevented, and where improvements are needed. 

Q: What metrics or KPIs should every MDO practitioner track to prove success? 

A: For me, the most important KPIs in MDO are: 

• Efficacy – percentage of malicious emails blocked before delivery vs. those removed after delivery. 

• User resilience – phishing click rate and volume of user-reported messages. 

• Operational performance – mean time to detect and remediate email threats. 

• Quality of tuning – false positive and false negative rates. 

Blueprint 4: Scaling and Maturing Use 

Q: Once the basics are in place, what’s the path to advanced adoption? 

A: Once the basics are in place, the path to advanced adoption usually looks like this: 

• Move from presets to custom policies – Microsoft recommends Preset Security Policies, but if your organization requires customization, make sure every user is still covered and protected. 

• Enable Automated Investigation and Response (AIR) – to take advantage of Microsoft’s built-in automation for user-reported phishing and other alerts. 

• Build additional automation playbooks – for example, in Logic Apps (or use Azure Functions), to integrate MDO signals into wider incident response workflows. 

• Use Attack Simulation Training – to measure user resilience and strengthen awareness against phishing. 

• Develop a SecOps guide for MDO – either adopt Microsoft’s guidance or create your own playbook for how to operate MDO in daily security operations. 

Q: How do you expand MDO’s impact across other tools or workflows (e.g., integration with SIEM, automation)? 

A: I expand MDO by treating it as a signal source in a SOAR pattern. MDO alerts/events flow into Defender XDR/Sentinel, which trigger Durable Functions. We fan-out to parallel tasks (enrichment, checks, and lookups), then fan-in to make a single decision and take actions. This turns MDO from just email protection into part of an automated response pipeline that also touches identity, endpoints, and collaboration tools. 

Q: What’s one advanced scenario you’ve implemented that other practitioners could replicate? 

A: One advanced scenario I’ve implemented is using MDO alerts to trigger an automated workflow in Azure Durable Functions. When a suspected phishing campaign is detected, the workflow enriches the signal with external intelligence sources like PhishTank for URL reputation and VirusTotal for file and hash lookups. From there, it decides on actions such as bulk-removing similar emails, updating the Tenant Allow/Block List, or notifying the SOC in Teams. Other practitioners could easily replicate this pattern, and even extend it with tools like ANY.RUN for sandboxing suspicious attachments. 

Blueprint 5: Community and Advocacy 

Q: Why do you want to share your experiences with the wider community? 

A: I believe sharing is caring – knowledge should be shared. Products like MDO can be complex, and it’s not always obvious how the settings actually work in practice. By sharing my own experiences and lessons learned, I try to make it easier for others to understand the product and configure it the right way. And at the same time, I also learn from the community. In the end, sharing is caring, if I can make MDO easier for someone else, then we all win. 

Q: One “field lesson” for every new MDO user? 

A: One field lesson I’d share is: don’t just turn MDO on and leave it. Take the time to understand how the features and settings really work, and share that knowledge with others. The product is powerful, but the real value comes when we as practitioners explain the ins and outs so others can avoid common mistakes. For me, sharing those lessons is just as important as learning them. 

Q: How can others follow your blueprint to adopt MDO effectively and become champions? 

A: To adopt MDO effectively, start simple: enable Preset Security Policies, make sure email authentication is in place, and build a process for handling submissions. From there, grow step by step, learn the product, get familiar with the hunting tables, and refine policies so they fit your organization. 

To become a champion, don’t keep that knowledge to yourself. Share your experiences, what worked and what didn’t, and help others avoid the same mistakes. Whether it’s inside your own company or with the wider community, that sharing is what makes you a go-to person others trust. In my view, that’s how you move from just being a practitioner to being a champion. 

Looking Forward 

Q: What feature are you most excited about in the roadmap? 

A: The feature I’m most excited about is the new ability to take actions directly from Advanced Hunting, submitting messages, adding to the Tenant Allow/Block List, and even triggering AIR investigations. For me, submissions and hunting are key parts of getting the most out of MDO, so bringing those actions together in one place will make it much easier to close the loop between detection and response. It’s a real step toward making MDO not just a filter, but an integrated part of SecOps workflows. 

Link: Microsoft 365 Roadmap | Microsoft 365 

Q: One piece of feedback to influence MDO’s future? 

A: One piece of feedback I would give is around quarantine policies in Preset Security Policies. Today, if you use presets, you’re locked into Microsoft’s default quarantine settings and can’t attach your own custom quarantine policies. I would like to see more flexibility here, so that organizations can still benefit from the simplicity and strength of presets, but adjust the quarantine experience to fit their own needs. 

Q: Where do you see the biggest opportunities for Champs like you? 

A: The biggest opportunity for Champs is to be a bridge – sharing real-world lessons with the community and feedback with Microsoft. In the end, it’s about turning experience into progress for everyone.