Two MDO field reports every IT security lead should read

Two LinkedIn field reports by Tyler Swinehart (Director of Global IT & Security at IRONSCALES) expose operational blind spots in Microsoft Defender for Office (MDO). The first covers MDO Explorer's hidden search limitations: no regex or OR operators, silent Unicode match drops, and a 30-day log retention cap. The second reveals MDO Quarantine's opacity: no verdict explanations, hidden RBAC console, undocumented submission workflows, and preset security policies that silently override custom configurations without any UI warning. The broader takeaway is that native email security tooling often lacks operational transparency — the ability for analysts to understand why a verdict was reached, verify that custom policies are running, and retrieve historical logs. Recommendations include auditing preset vs. custom policy stacks, building KQL skills for Advanced Hunting Queries, forwarding logs to longer-retention storage, and adding operational transparency as a formal evaluation criterion when assessing email security tools.