This session picks up where deployment ends and real security operations begin. Through live demonstrations, we investigate actual attack scenarios - AiTM phishing campaigns, post-compromise inbox rule abuse, QR code evasion, and the silent SCL -1 bypass that lets threats walk straight past your filters.

You’ll see the full investigation lifecycle in Threat Explorer and Email Entity Panel, write Advanced Hunting queries that surface what dashboards miss, and walk through the false positive and false negative workflows that keep your detection sharp. We also cover the newly released Teams protection capabilities in MDO - because attackers aren’t limiting themselves to email anymore.

No slides-only theory. Every concept is demonstrated with real emails, real headers, and real KQL. You’ll walk out with ready-to-use hunting queries and investigation techniques you can run in your own tenant on Monday.​​​​​​​​​​​​​​​​