MVP Champ Spotlight- Pierre Thoor
Pierre is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: FAQ | Most Valuable Professionals. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs. Read the interview below! Picture of Pierre celebrating the publication of his book: Microsoft Defender for Identity in Depth. Link to check it out: https://www.amazon.com/Microsoft-Defender-Identity-Depth-cyberattack/dp/B0DK1HW2KX Personal Story and Credibility Q: Tell us a bit about your role and background: how did you become focused on email security and Microsoft Defender for Office? A: I began my career in 3rd line Windows Server support, where I first developed an interest in cybersecurity through Windows patch management. A few years later, I became more focused on Microsoft Exchange Server and securing mail flow. As the industry moved into Office 365 and Exchange Online, email protection kept improving, but it also became clear to me that email remained the number one attack vector. Most incident response cases I was involved in had a phishing or malicious email component. That’s when I realized that strengthening defenses around email could reduce a huge percentage of overall risk. Microsoft Defender for Office (MDO) naturally became my focus, not just because it protects email, but because it connects detection, protection, and response across the Microsoft 365 ecosystem. Over time, I’ve worked with everything from MDO deployment strategies and securing Microsoft 365 and Azure services to building SOC playbooks, and it’s grown into a real passion area for me. Q: What’s been your proudest moment as a security practitioner where MDO played a critical role? A: My proudest moments are when I can clearly see that MDO has stopped something dangerous before it reached users. For example, watching a phishing campaign get blocked at scale and being able to trace that in the reporting gives real proof that the protections are working as intended. It’s not about one single incident, but about seeing the technology deliver measurable protection in day-to-day use. Blueprint 1: Deployment and Adoption Strategy Q: When organizations are just starting with MDO, what are the first three steps you recommend for a successful rollout? A: I usually recommend three key steps for a successful rollout: Start with email authentication and baseline hygiene. Make sure SPF, DKIM, and DMARC are properly configured, and that your MX records point to Exchange Online. This ensures that MDO has the right signals to work effectively. Run a pilot with Preset Security Policies. Use Microsoft’s Preset Security Policies (Standard or Strict) instead of relying on the default built-in protections. The defaults are often mistaken for being “secure enough”, but they leave important gaps. Start with a smaller pilot group, validate the impact, and make sure you as an admin understand the order of precedence between preset and custom policies. This prevents misconfigurations when you scale out. Leverage hunting and reporting early. Get familiar with the hunting tables in advanced hunting and the reporting capabilities in MDO. Even in the first 30–60 days, learning how to use Threat Explorer, submission reports, and campaign views will give you strong visibility and confidence in the rollout. Q: What common mistakes or misconceptions do you see teams make when deploying MDO? A: One of the most common mistakes I see is treating MDO as a “set it and forget it” product. As an SOC analyst or security administrator, you really need to understand the settings and continuously monitor what types of emails are entering your organization. Another common gap is not using the submission process effectively. Submitting false positives and false negatives is critical, because those signals feed directly back into Microsoft’s protection systems. The machine learning models behind MDO are continuously retrained on customer submissions, which means your input not only improves your own tenant’s protection but also strengthens detections globally. I also see organizations overlook the threat hunting side of MDO. Knowing the advanced hunting tables connected to email, such as EmailEvents, EmailUrlInfo, and EmailAttachmentInfo, is key for proactive defense. These give you the ability to trace campaigns, investigate suspicious patterns, and connect email telemetry with other Defender signals. Finally, many organizations still rely only on the Default Built-in Protection, instead of moving to Preset Security Policies (Standard or Strict) or creating custom ones. On top of that, administrators often don’t understand the policy precedence, and that lack of awareness can leave real gaps in how email is filtered and protected. Q: Can you share your own checklist or framework for configuring MDO to get quick wins in the first 30–60 days? A: In the first 30–60 days, I focus on quick wins that build a strong foundation and give early visibility. My checklist looks like this: Establish the foundation Configure email authentication: SPF, DKIM, and DMARC. Enable Preset Security Policies (Standard at minimum). If you’re using custom policies instead, make sure quarantine policies are in place. Understand policy precedence and configure the Tenant Allow/Block List (TABL). Secure collaboration and file sharing Enable Safe Links and Safe Attachments for all users. Turn on Zero-hour Auto Purge (ZAP) for Teams. Prevent users from downloading malicious files in OneDrive, Teams, and SharePoint Online. Set up administration and controls Enable and understand Unified RBAC to control who can manage MDO and investigate emails in Threat Explorer. Use Configuration Analyzer or the ORCA PowerShell module to validate your setup against best practices. Build operational processes Establish a clear submission process for false positives and false negatives. Review Threat Explorer weekly to build familiarity with reporting and investigation. Expand into hunting and alerting Learn the key advanced hunting tables related to email. Build custom KQL-based alerts in Defender XDR to fit your organization’s workflows. Blueprint 2: Operational Excellence Q: What features or policies have given your SOC team the biggest efficiency gains? A: The features that have given the biggest efficiency gains are Automated Investigation and Response (AIR) and adopting the Strict Preset Security Policies. With AIR, user-reported phishing emails automatically trigger an investigation playbook. The system checks details such as the sender, sending infrastructure, whether similar messages exist in the tenant, and if the campaign is already known. Safe submissions are automatically cleared, while risky ones are enriched with recommended remediation steps. This greatly reduces noise and makes investigations faster and more consistent. Moving to Strict Preset Policies also had a major impact. Instead of relying on the weaker default protections, Strict presets raise the security baseline and block more threats up front, which reduces the overall number of alerts and investigations needed. Q: Could you walk us through one or two “playbooks” that your team uses to detect, respond, and remediate email threats? A: One of our main playbooks is for a compromised user or mailbox. It starts with an incident in Defender XDR, and then we trigger our automation built on Azure Durable Functions. The automation checks for unusual sign-ins in Entra ID, forces a password reset, revokes active tokens, and resets MFA methods. It also reviews mailbox rules for suspicious changes and if the user is blocked from sending email, sends an SMS to the end user with next steps, and finally logs all actions back into the incident for visibility. Blueprint 3: Driving Business Outcomes Q: How do you measure and report the value of MDO back to business stakeholders? A: We highlight MDO’s business value using the Microsoft Defender for Office 365 Overview dashboard, which provides clear, visual metrics, like threats blocked before delivery, items purged post-delivery via ZAP, and any “uncaught” threats. The dashboard also gives insights into phishing, malware, spam, impersonation detections, and risky allows. These visuals help business stakeholders quickly understand how email threats are being prevented, and where improvements are needed. Q: What metrics or KPIs should every MDO practitioner track to prove success? A: For me, the most important KPIs in MDO are: Efficacy – percentage of malicious emails blocked before delivery vs. those removed after delivery. User resilience – phishing click rate and volume of user-reported messages. Operational performance – mean time to detect and remediate email threats. Quality of tuning – false positive and false negative rates. Blueprint 4: Scaling and Maturing Use Q: Once the basics are in place, what’s the path to advanced adoption? A: Once the basics are in place, the path to advanced adoption usually looks like this: Move from presets to custom policies – Microsoft recommends Preset Security Policies, but if your organization requires customization, make sure every user is still covered and protected. Enable Automated Investigation and Response (AIR) – to take advantage of Microsoft’s built-in automation for user-reported phishing and other alerts. Build additional automation playbooks – for example, in Logic Apps (or use Azure Functions), to integrate MDO signals into wider incident response workflows. Use Attack Simulation Training – to measure user resilience and strengthen awareness against phishing. Develop a SecOps guide for MDO – either adopt Microsoft’s guidance or create your own playbook for how to operate MDO in daily security operations. Q: How do you expand MDO’s impact across other tools or workflows (e.g., integration with SIEM, automation)? A: I expand MDO by treating it as a signal source in a SOAR pattern. MDO alerts/events flow into Defender XDR/Sentinel, which trigger Durable Functions. We fan-out to parallel tasks (enrichment, checks, and lookups), then fan-in to make a single decision and take actions. This turns MDO from just email protection into part of an automated response pipeline that also touches identity, endpoints, and collaboration tools. Q: What’s one advanced scenario you’ve implemented that other practitioners could replicate? A: One advanced scenario I’ve implemented is using MDO alerts to trigger an automated workflow in Azure Durable Functions. When a suspected phishing campaign is detected, the workflow enriches the signal with external intelligence sources like PhishTank for URL reputation and VirusTotal for file and hash lookups. From there, it decides on actions such as bulk-removing similar emails, updating the Tenant Allow/Block List, or notifying the SOC in Teams. Other practitioners could easily replicate this pattern, and even extend it with tools like ANY.RUN for sandboxing suspicious attachments. Blueprint 5: Community and Advocacy Q: Why do you want to share your experiences with the wider community? A: I believe sharing is caring – knowledge should be shared. Products like MDO can be complex, and it’s not always obvious how the settings actually work in practice. By sharing my own experiences and lessons learned, I try to make it easier for others to understand the product and configure it the right way. And at the same time, I also learn from the community. In the end, sharing is caring, if I can make MDO easier for someone else, then we all win. Q: One “field lesson” for every new MDO user? A: One field lesson I’d share is: don’t just turn MDO on and leave it. Take the time to understand how the features and settings really work, and share that knowledge with others. The product is powerful, but the real value comes when we as practitioners explain the ins and outs so others can avoid common mistakes. For me, sharing those lessons is just as important as learning them. Q: How can others follow your blueprint to adopt MDO effectively and become champions? A: To adopt MDO effectively, start simple: enable Preset Security Policies, make sure email authentication is in place, and build a process for handling submissions. From there, grow step by step, learn the product, get familiar with the hunting tables, and refine policies so they fit your organization. To become a champion, don’t keep that knowledge to yourself. Share your experiences, what worked and what didn’t, and help others avoid the same mistakes. Whether it’s inside your own company or with the wider community, that sharing is what makes you a go-to person others trust. In my view, that’s how you move from just being a practitioner to being a champion. Looking Forward Q: What feature are you most excited about in the roadmap? A: The feature I’m most excited about is the new ability to take actions directly from Advanced Hunting, submitting messages, adding to the Tenant Allow/Block List, and even triggering AIR investigations. For me, submissions and hunting are key parts of getting the most out of MDO, so bringing those actions together in one place will make it much easier to close the loop between detection and response. It’s a real step toward making MDO not just a filter, but an integrated part of SecOps workflows. Link: Microsoft 365 Roadmap | Microsoft 365 Q: One piece of feedback to influence MDO’s future? A: One piece of feedback I would give is around quarantine policies in Preset Security Policies. Today, if you use presets, you’re locked into Microsoft’s default quarantine settings and can’t attach your own custom quarantine policies. I would like to see more flexibility here, so that organizations can still benefit from the simplicity and strength of presets, but adjust the quarantine experience to fit their own needs. Q: Where do you see the biggest opportunities for Champs like you? A: The biggest opportunity for Champs is to be a bridge – sharing real-world lessons with the community and feedback with Microsoft. In the end, it’s about turning experience into progress for everyone.MVP Champ Spotlight- Derk van der Woude
Derk is recognized as a Most Valued Professional (MVP) by Microsoft as an exceptional community leader for their technical expertise, leadership, speaking experience, online influence, and commitment to solving real-world problems. Learn more about MVPs and what it takes to become one here: FAQ | Most Valuable Professionals. Within our Security MVPs, Microsoft has hand-selected some of our top collaborative MVPs with a passion for working directly with the Product Group to share community insights with Microsoft and co-create content to help address the community needs. Read the interview below! Personal Story and Credibility Q: Tell us a bit about your role and background: how did you become focused on securing Internet of Things (IoT) and Operational Technology (OT) devices? A: Let’s start with a disclaimer: my passion for Microsoft Security is very broad, from offensive to defensive, from XDR to SIEM, and from IT to OT. One cannot exist without the other. I studied computer science back in the 90s, and the same month I started to work in IT, I studied and passed the MCSE (6 books at the time) exams. For the last 25+ years, I've worked as a Microsoft partner with some personal highlights: MCM (Microsoft Certified Master) Exchange in 2010, Microsoft MVP in 2021, and CCP Discussion Leader for Defender for IoT in 2024. The moment I was reading the book ‘Countdown to Zero Day’ back in 2014 about Stuxnet, OT security became an important aspect in my life and still is to this day because human lives are at stake. Q: What’s been your proudest moment as a security practitioner where Defender for IoT played a critical role? My proudest moments are more general in detecting bad actors in the environment via Microsoft Security products, probably in the reconnaissance phase, and preventing bad things from happening like domain dominance or global malware deployment. Truly make the world a safer place. Blueprint 1: Deployment and Adoption Strategy Q: When organizations are just starting with Defender for IoT, what are the first three steps you recommend for a successful rollout? A: Step one should be asset inventory; you cannot protect what you don’t know. Step two is to look at the network topology; are the IT and OT devices in separate networks (Purdue model even), or are the IT and OT devices interconnected (IT/OT convergence) in the same network? This is important for the solution. And the third and final step is to look at the surrounding assets because it’s not always a stand-alone solution but a better together solution with Defender for Endpoint, Defender for Identity, Sentinel, etc. Q: What common mistakes or misconceptions do you see teams make when deploying Defender for IoT? A: Deploy Defender for IoT without knowing the environment, for example: deploy Defender for IoT in a flat network with some OT devices but many IT devices. First, you pay extra because the Site license is based on the number of assets. Second, you get a lot of noise in alerting because an OT use case is alerting on internet connectivity, while IT connects to the internet all the time. Q: Can you share your own checklist or framework for configuring Defender for IoT to get quick wins in the first 30–60 days? A: Microsoft has an excellent checklist and framework on the Microsoft Learn site, but as mentioned before, first look at your network topology and know your devices. An outcome of a Defender for IoT Proof of Concept can be that you finally understand your network topology, which you did not before (all based on assumptions) and how subnets/VLANs are interconnected. Blueprint 2: Operational Excellence Q: What features or policies have given your security team the biggest efficiency gains? A: Better together, so deploy Defender for IoT as the core solution for OT networks and devices but add Defender for Endpoint on the Windows and/or Linux devices in the network and Defender for Identity is there is an OT Active Directory. Second (my personal opinion) I think that internet-connected (in a secure manner like IP, Port, DNS ACLs or even data diodes) is more secure as an air-gapped network because even air-gapped needs updates (firmware, operating system, threat intel, etc.) and we come back to my personal statement is that 99% of all OT attacks start from IT (e.g. USB-key in air-gapped network is IT for me). Q: How do you structure your team’s workflows so that Defender for IoT alerts integrate smoothly into daily operations? A: Educate the team of Defenders, first prevention is better than the cure but seeing outdated software on OT devices does not mean you can patch them instantly, downtime can be very expensive, or the supplier may not exist anymore. And secondly, pure OT alerts are different from your typical IT alerts like a command to shut down a PLC. Q: Could you walk us through a “playbook” that your team uses to detect, respond, and remediate IoT/OT threats? A: As mentioned before, 99% of all OT attacks start from IT, so the integration of Defender for IoT in Defender XDR is, in my opinion, a game changer with advanced features like Attack Disruption to automatically stop an attack without human intervention if the true positive rate is 99+%. Blueprint 3: Driving Business Outcomes Q: How do you measure and report the value of Defender for IoT back to business stakeholders? A: It should be part of the overall Security Policy, although there are far less alerts on OT compared to IT, the impact is much greater because it’s often critical infrastructure, not always in the sense with lives at stake but also the right to exist of an organization. Q: Without naming company names, can you share an example where Defender for IoT directly identified a threat or misconfiguration, ultimately better securing an organization? A: Not directly a threat but Defender for IoT showed how flat the network was and that literally all devices could communicate to each other, you don’t want that in case of a worm malware. Blueprint 4: Scaling and Maturing Use Q: Once the basics are in place, what’s the path to advanced adoption and security? A: Adding the better together story with Defender XDR (existing of Defender for Endpoint, Defender for IoT and Microsoft Sentinel). Also, a secured cloud connection that provides real-time analytics, up-to-date threat intelligence, etc. Q: How do you expand Defender for IoT's impact across other tools or workflows (e.g., integration with SIEM, automation, Advanced Hunting)? A: I think, unless you are 100% air-gapped due to policy, the connection with Microsoft Defender XDR and Microsoft Sentinel is a must because of IT/OT convergence as mentioned before. Blueprint 5: Community and Advocacy Q: Why do you share your experiences with the wider community, and how has it benefited you in return? A: I think OT security in a crisis (look at what happens in Ukraine) is far more important than getting back investments in AI. Best of both worlds I think AI can make OT security even more efficient and practical. I always say: if you know, you do; if you understand, you teach. If I can only help one person with an answer or via my blogs, I’m happy 😊 Q: What’s one “field lesson” you’d want every new Defender for IoT user to know before they begin? A: Start with a Proof of Concept, and often it’s a surprise how the network is routed and which assets are connected. Q: How can others follow your blueprint to both adopt Defender for IoT effectively and become champions in the practitioner community? A: Join the CCP program and read my blogs Derk van der Woude – Medium. Again, my blogs are very broad about Security because Security is a very broad topic and everything is connected, directly or indirectly. I learned the most from setting up my physical home lab.
