Exchange Online Protection anti-spam / anti-phish policy stacking

Most people think email security in Microsoft 365 is a switch. It’s not. It’s a stack.

And the stack runs in an order you don’t get to vote on.

I see the same thing on tenant after tenant. Someone opened the anti-spam policy years ago, nudged a slider, ticked a box they’d read about on a forum, and walked away. The default phishing policy has never been touched. Connection filter? Empty. Then a dodgy invoice lands in the MD’s inbox and everyone’s surprised.

Here’s the part that catches people out. Those custom tweaks you made? They might be the reason the bad mail got through.

Stop hand-building policies. Turn on the presets and learn the order things fire in. That’s the whole job.

What is policy stacking, really?

Every inbound message runs a gauntlet. Connection filtering checks the source IP. Anti-malware scans the payload. Anti-spam scores the content. Anti-phishing checks for spoofing and impersonation. Each layer has its own policy, and each policy has a priority number.

That’s not one setting. That’s five layers, each with its own verdict, stacked on top of each other.

The catch is precedence. When two policies could apply to the same person, only one wins — the one with the highest priority. Your hand-rolled custom policy beats the preset. The preset beats the default. So if you built a loose custom anti-spam policy back in 2021 and switched on the Standard preset last week, the custom one still wins. The preset you thought protected everyone is being skipped for those users.

Microsoft lays out the full order of precedence — read it once and it’ll save you a dozen support tickets.

Step-by-Step: turn on the stack

You do all of this in the Microsoft Defender portal. No PowerShell. No Exchange admin center.

Open the presets

Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Preset Security Policies.

Turn on Standard for everyone

Flip Standard protection to On and apply it to All recipients. That covers anti-spam, anti-malware, anti-phishing — and, if you’re licensed for Defender, Safe Links and Safe Attachments — all on Microsoft’s recommended settings, all maintained for you.

Turn on Strict for the people who get targeted

Flip Strict protection on and scope it to the MD, finance, payroll, and anyone with signing authority. Strict catches more and complains more. That trade is worth it for the accounts attackers actually go after.

Add your impersonation names

In the Strict wizard, add the names and addresses of your VIPs to impersonation protection. This is the bit that stops “Hi, it’s the boss, can you buy some gift cards.”

Delete the cruft

Go back to your custom anti-spam and anti-phishing policies. Any old one that’s weaker than the preset is now a hole. Remove it, or you’ve armoured the front door and left a window wide open.

Notice what’s missing from that list?

Inbound mail flow:
  Connection filter → Anti-malware → Anti-spam → Anti-phishing

Standard preset  → All recipients
Strict preset    → VIPs + impersonation list

No sliders. No SCL thresholds. No ASF tick-boxes you read about once and never quite understood. The presets carry all of that, and Microsoft updates them as the threats move. You’re not tuning a spam filter any more. You’re choosing who gets the strong one.

Why this actually changes behaviour

“We’ve always had email security on.”

Sure. But “on” and “correctly ordered” are two different sentences. Most tenants I audit have layers fighting each other — a custom policy quietly overriding the preset, an exclusion nobody remembers, a default policy doing the bare minimum for half the staff.

Presets end that argument. Everyone gets a known-good baseline. Your VIPs get more. And because the settings aren’t yours to drift, the config still makes sense in two years when someone else opens it.

For an MSP, that’s gold. You deploy the same posture across every client in an afternoon, document it in one screenshot, and stop defending slider choices in a review. Consistency is a security control. Drift is the vulnerability.

If you’re still hand-tuning spam policies client by client, you’re doing unpaid work that makes them less safe.

Turn on the presets. Fix the order. Delete the rest.

That’s not a spam setting. It’s a security baseline — and it’s already in the licence you sold them.

The Gap Is The Point

Someone asked me last week what my goals were for the next twelve months. I gave the usual answer — bigger speaking calendar, more clients, a couple of certifications I’ve been putting off. Standard stuff. Then I drove home and realised the answer I’d just given was the version of me that exists today talking. Not the version I’m trying to become. There’s a difference, and most of us never sit with it long enough to feel it.

I’ve started thinking about my future self as a separate person. Not a fantasy figure, but the version of me five years from now who reads what I’m reading now, sits in the rooms I’m sitting in now, eats what I’m eating, wakes up with the habits I’m building today. That person already exists in outline. Every choice I’m making is voting for who they turn out to be.

The inputs are the outputs

The honest truth is that almost nobody wakes up in five years and accidentally becomes someone better. The reading you do, the people you stay close to, what you put on your plate at lunch, the routines you let calcify — those are the materials. There is no secret fifth ingredient. If you don’t like where you’re heading, change one of the four. That’s the whole lever.

The trap is thinking the future version of you is waiting for some big reinvention moment. A course, a milestone, a quiet six months. That moment never arrives. The future you is being built right now, in the tiny decisions you barely notice — the email you snap off in two seconds versus the one you take three minutes to write properly, the meeting you let drift versus the one you tighten with an agenda before walking in.

What would the better version do right now

This is the question I keep coming back to. Not what would I do — what would the sharper, calmer, more focused version of me do with this hour? The one I’m trying to become. It reframes everything. The reply I was about to send, the meeting I was about to accept, the rabbit hole I was about to fall into. Most of the time the answer is obvious; I just don’t want to hear it.

This is also where Copilot has quietly changed how I work. When I open Outlook in the morning and ask Copilot to summarise overnight threads, the better version of me actually has time to think instead of reacting to a triage queue. When I sit down to a Teams meeting and let Copilot handle the recap, I’m fully present in the conversation rather than half-scribbling notes. The point isn’t the feature — it’s that the friction keeping me stuck in version-of-me-today gets quietly removed. The future me has more room to show up.

Direction, not failure

Most people read the gap between who they are and who they want to be as evidence they’re falling short. I read it the other way. The gap is the only signal that tells you which way to walk. If there’s no gap, you’ve stopped growing. If the gap is huge, that’s not a problem — that’s a map.

So this week I’m watching what I read, who I sit with, what I put on my plate, and which habits I’m letting form by accident. Five years sounds like a long time. It isn’t. It’s about 1,800 versions of today, stacked on top of each other. The future me is being built in the next hour. So is yours.

Copilot audit logs in Purview

Most people ask the wrong question about Copilot.

They ask “is it safe?” What they mean is “can it leak our stuff?” Fair worry. But it’s the wrong place to start.

The real question a client should be asking is “can you show me what Copilot has been doing?” Because if the answer is no, safe or not doesn’t matter. You’re flying blind.

Here’s the thing nobody tells you in the licensing pitch. Every Copilot interaction is already being recorded. You don’t have to buy anything. You don’t have to flip a switch. It’s been sitting in the unified audit log the whole time, waiting for someone to go look.

Most MSPs never do.

What is Copilot audit logging, really?

It’s the receipt for every conversation your users have with Copilot.

When someone asks Copilot in Word to summarise a document, or asks Copilot in Teams what they missed, that interaction writes a record into Microsoft Purview. Who did it. When. Which Copilot app. And — this is the part that matters — which files and resources Copilot reached into to answer.

This happens automatically as part of Audit (Standard), which is on by default for business tenants. If auditing is running, Copilot logging is running. Microsoft spells it out in the audit logs for Copilot and AI applications docs: no extra steps, no separate config.

That’s not a feature you enable. That’s a feature you’ve been ignoring.

Step-by-Step: finding Copilot activity in Purview

Open the Audit solution

Go to the Microsoft Purview portal at purview.microsoft.com, sign in, and pick Audit from the Solutions list on the left. If you’ve got the Audit Logs or View-Only Audit Logs role, you’ll land on the search page. If you don’t, that’s your first job — sort the permissions, per the search the audit log guidance.

Set your date range and activity

Pick a start and end date. Then in the activities filter, search for the Copilot record type.

RecordType: CopilotInteraction
Activity:   Interacted with Copilot

Notice what’s missing? No prompt text in that filter. The audit row tells you that a conversation happened and what files it touched — it doesn’t hand you the back-and-forth wording. That content lives elsewhere, retained for eDiscovery and Communication Compliance, not in the row you’re reading. Knowing that distinction is what separates someone who’s read the docs from someone who’s guessing.

Run the search and read the resources

Start the job. It keeps running even if you close the browser, and finished searches stick around for 30 days. Open a result and look at the AccessedResources field. That’s the gold. It shows the actual files Copilot pulled in to ground its answer.

This is where oversharing shows up. If Copilot is referencing a payroll spreadsheet for someone in the warehouse, you didn’t find a Copilot problem. You found a permissions problem Copilot just made visible.

Export when you need a paper trail

Push the results to CSV. Now you’ve got evidence, not anecdotes.

Why this actually changes the client conversation

Walk into a renewal with “Copilot is secure, trust me” and you sound like every other reseller.

Walk in with “here’s a report of every file Copilot accessed last quarter, and here are the three oversharing issues we caught and fixed” — that’s a different meeting. That’s you doing governance, not selling a licence.

“Wait, so I can actually prove Copilot isn’t quietly reading files it shouldn’t?”

Yes. And that single sentence is worth more to a nervous business owner than any feature slide.

One caveat worth knowing. Retention isn’t infinite and it isn’t equal. On most Business Premium tenants you’re looking at 180 days. On E5, key workloads stretch to a year, and you can build longer audit log retention policies if compliance demands it. If a client needs to answer “what happened nine months ago,” check the retention before you promise the answer exists.

This is the stuff cyber insurance forms ask about. It’s what SMB1001 and Essential Eight assessors want to see. Not “do you have Copilot.” But “can you account for what it did.”

Copilot doesn’t forget. Make sure you can read what it remembers.

If you’ve rolled Copilot out to a client and you can’t pull this report, you haven’t finished the rollout. You’ve just started the part nobody bothered to do.

Why Your Marketing Keeps Disappearing

I see the same pattern in MSP after MSP. The pipeline thins out, sales gets nervous, and suddenly there’s a flurry of activity. A newsletter goes out. A few posts appear on LinkedIn. Someone dusts off the old webinar deck. Leads start trickling in, projects get signed, and the team gets buried in delivery. Six weeks later, the marketing has gone quiet again. No newsletter. No posts. No webinar. Just heads down, tickets, and onboarding.

Then the pipeline thins out again. And the cycle starts over.

What surprises me is how few owners recognise this as the actual problem. They tell me they’re tired of marketing. That it doesn’t work. That they’ve tried it. But when I push a little, what they’ve actually tried is marketing in panic mode — a short, intense burst when sales were already down. Of course it didn’t work. It was never given enough time to.

The exhaustion is the symptom, not the cause

The story most owners tell themselves sounds reasonable. “I stopped because I was exhausted.” Sit with it for a minute and the logic flips. You weren’t exhausted because you were marketing. You were exhausted because you were doing everything in catch-up mode — chasing leads you should have already had, writing content you should have written months ago, scrambling for testimonials you should have collected at the time of delivery.

Steady marketing isn’t what wears people out. The on-again, off-again version is what wears people out. And every time you stop, you guarantee the next round will be harder than the last, because you’re always starting cold.

Make the boring part automatic

This is the part where Microsoft 365 quietly earns its keep. Most MSPs already pay for it. Few of them use it for their own business the way they sell it to clients.

Pick one rhythm and protect it. A weekly post. A fortnightly newsletter. A monthly client tip. Whatever the cadence, build it inside the tools you already live in. I’ll sit down on a Sunday morning, open Copilot in Word, and ask it to turn a few rough notes from the week into a draft post. Ten minutes later I have something to work with rather than a blank page. In Outlook, Copilot can take a long internal email — a war story from a recent project, an interesting client question — and reshape it into something appropriate for an audience.

Park the ideas as they happen. A Loop component pinned in a Teams channel called “marketing scraps” is enough. A Planner board with one column for “next post”, one for “next newsletter”, and one for “case study someday” gives you a queue instead of a panic. None of this is glamorous. It’s plumbing. But the plumbing is what keeps the tap running when you’re flat out delivering.

Steady beats clever

I’ve never met an MSP that grew because of one brilliant campaign. I’ve met plenty that grew because they kept showing up — every week, every month, regardless of how the pipeline looked that quarter. The content wasn’t always sharp. The newsletter wasn’t always polished. But it was there.

If your marketing only appears when you need sales, your prospects learn the pattern too. They see the silence and read it correctly. The fix isn’t a bigger push. It’s a smaller, steadier one — and an honest look at why the quiet stretches keep happening.

You’re not exhausted by marketing. You’re exhausted by stopping.

Copilot in Outlook

Most people meet Copilot in Outlook through the Draft button. They click it, type “write a reply saying yes”, watch it produce three paragraphs of corporate waffle, and quietly decide the whole thing is overrated.

I get why. That’s the demo everyone shows. It’s also the least interesting thing Copilot does in your inbox.

The real value isn’t writing email faster. It’s reading it faster.

Think about where your time actually goes. It’s not composing. It’s the forty-message thread you got CC’d on at 4pm — the one you have to scroll to the bottom of and reconstruct before you can say anything useful. That’s the tax.

So before you write a single prompt, flip the question. Don’t ask “what can Copilot write for me?” Ask “what am I wasting time reading?”

What is Copilot in Outlook, really?

It’s two jobs wearing one badge.

The first job is Summarize. Open a long thread and there’s a “Summary by Copilot” card sitting at the top. One click boils the thread down to who said what and what’s still outstanding — with little numbered references back to the actual messages, so you can check it didn’t invent anything.

The second job is Draft. You give it an instruction, it writes the email, you fix the bits it got wrong. Tone and length are dials, not destiny.

Notice the order I put those in. Summarize first. For most people that’s eighty percent of the value — and nobody demos it.

Step-by-Step: getting actual value out of it

Summarise before you read

Open any thread more than a few replies deep. Click Summary by Copilot at the top of the message. Read the summary, then jump straight to the messages it references. You’ve just skipped the scroll.

Draft by pointing, not pleading

Here’s the prompt pattern that works:

Reply to the client agreeing to the Tuesday 2pm slot,
confirm I'll send the agenda by Friday, keep it short and warm.

Notice what’s missing? No “please write a professional email that…”. No throat-clearing. You point at the decision and the facts, and Copilot handles the wording. Vague in, vague out — every time.

Set the tone, then get out of the way

Before you generate, open the tone and length options. Pick direct and short for internal mail. Save formal for the email going to a client’s lawyer. Microsoft’s own walkthrough covers drafting an email with Copilot if you want the full button tour.

Always read it before you send

Copilot will confidently add a detail you never gave it. The draft is a starting point, not an outbox.

The shared mailbox trap that catches everyone

Here’s the one that generates support tickets.

Your client runs everything out of info@ or accounts@. They turn on Copilot, open the shared mailbox, hit Summarize… and nothing. The button’s missing, or it tells them it has no knowledge of that mailbox.

For a long time, Copilot in Outlook only worked on your primary mailbox. Shared and delegate mailboxes were off-limits — the single most common “is this thing broken?” question I get.

That’s finally changing. Microsoft now supports Copilot in shared and delegate mailboxes, but the fine print matters: the person using it needs the right level of access, the mailbox has to live in Exchange Online, and encrypted messages still can’t be read. So when a client says “it doesn’t work in our support inbox”, you can tell them why — and what to check — instead of shrugging.

That’s the difference between an MSP who resold Copilot and one who understands it.

Why this actually changes behaviour

“I’ll get to my inbox after lunch.”

That sentence is a productivity confession. Inbox triage gets deferred because it’s expensive — every thread is a small act of reconstruction before you can act.

Summarize makes that cost almost nothing. When reading a forty-message thread takes ten seconds instead of ten minutes, you stop quarantining email into a dreaded afternoon block and start clearing it in the gaps between meetings.

That’s not a feature. That’s a different relationship with your inbox.

Your inbox doesn’t pay you to read. It pays you to decide.

My recommendation? Teach clients Summarize first, Draft second. Draft is the headline. Summarize is the reason they’ll keep the licence.

If you’re not showing them both — and the shared mailbox gotcha — you’re leaving the best part of what they’re already paying for sitting in the box.

Consistency Doesn’t Show Up When Things Are Comfortable

A good month in an MSP can hide a lot. The pipeline is healthy, the techs are humming, the client tickets are getting closed, and Friday afternoon feels almost calm. In those weeks, every business looks disciplined. Every process looks tight. Every standard looks honoured.

That’s not consistency. That’s just a quiet stretch.

The real test arrives when something breaks — a bad migration, a difficult client, a tech walking out, a month where revenue doesn’t land. That’s when you find out whether your standards live in your head or live in the way your business actually behaves.

The discipline you don’t see in a good month

I’ve watched MSPs run beautifully for a quarter and then quietly drop the things that made them beautiful the moment work got heavy. The monthly client reviews stop. The patching cadence slips. The onboarding checklist becomes “we’ll get to that next week.” Nobody decides to lower the bar. It just happens, one small omission at a time, until what was a standard is now just a story you tell prospects.

What I’ve come to respect is the unglamorous stuff that keeps going regardless of mood. The same Monday standup at the same time every week. The same security baseline applied to every new tenant. The same call to a client at the same point in their lifecycle, even when there’s nothing wrong. Those rhythms only feel valuable when things get bumpy — and by then it’s too late to start them.

Build the rhythm, then defend it

This is where I think a lot of MSPs underuse what’s already sitting in their stack. A weekly cadence in Microsoft Planner with the same recurring tasks, surfaced through a Teams channel everyone actually opens, is more useful than a polished playbook nobody reads. A standing client review template in Word, kept in the same Teams tab month after month, builds a record that shows whether you actually turned up.

Copilot helps here in a way I didn’t fully appreciate until recently. Asking Copilot in Outlook to summarise a client’s last quarter of email before a review meeting takes ninety seconds and means the conversation starts with something real. Asking Copilot in Teams to recap the last three internal stand-ups before a leadership meeting means decisions don’t get re-litigated. Asking it to pull the highlights from a SharePoint site of project notes before a Monday catch-up turns ten minutes of digging into one minute of reading. The point isn’t the time saved — it’s that the rhythm becomes easier to maintain on the day you’d rather skip it.

Tools don’t create consistency. But the right ones lower the friction enough that you keep showing up on the days you don’t feel like it.

When nobody’s watching

The reason consistency is hard isn’t intelligence or capability. It’s that nobody claps for it. Doing the same review the same way for the eighteenth time in a row produces no dopamine. No client thanks you for the patches that didn’t cause an outage. No prospect signs because your internal documentation happens to be current.

But the MSPs I see growing steadily — not in spikes, but year after year — are almost always the ones doing the boring things on the bad days as well as the good ones. That’s the only kind of consistency that actually compounds, and it’s almost never visible from the outside until much later.

So the question I keep asking myself, and the one I’d put to anyone running an MSP right now, is simple. What did you still do well last month, when nothing was easy? That’s the answer that tells you who you actually are as a business.

Defender for Endpoint Web Filtering

A client rings up. Staff are burning half the day on betting sites, or someone clicked something they shouldn’t have, and now they want you to “lock down the web.”

So you go and price a web filter. Cisco Umbrella, DNSFilter, a firewall add-on. Another line item, another agent, another renewal to babysit.

Stop.

If that client is on Microsoft 365 Business Premium, you already sold them a web filter. It’s been sitting inside Defender, switched off, the whole time.

That’s not an upsell. That’s a setting.

What is web content filtering, really?

It watches where your devices go on the web and lets you block whole categories of sites by name. Gambling. Adult content. Peer-to-peer. Hacking. You tick a category, and people in the groups you choose stop being able to reach it, whether they’re in the office or working from a café.

Microsoft calls it web content filtering, and it rides on protection that’s already on the machine. In Edge, the blocks are enforced by SmartScreen. In Chrome, Firefox, Brave and Opera, they lean on network protection. Both of those have to be switched on, or nothing happens.

Here’s the part most people miss. Any category you don’t block gets audited automatically. So before you stop a single site, you get a report of exactly where your client’s staff have been going.

You can’t filter what you can’t see. So start by seeing.

Step-by-Step: turn it on, then point it at something

Switch on the feature

In the Microsoft Defender portal, go to Settings > Endpoints > Advanced features and flip Web content filtering to On. Save.

Create a policy and just watch

Go to Settings > Endpoints > Rules > Web content filtering and add a policy. Target a device group. Don’t block your client’s contentious categories yet. Let the audit data build.

Read the report

Open Reports > Web protection and look at the Web activity by category card. Give it time, there’s up to a 12-hour lag before activity shows up. This is the bit that changes the conversation. You’re no longer guessing what staff do online. You’re looking at it.

Block what actually matters

Now edit the policy and tick the categories the report told you to care about.

Microsoft Defender portal → Settings → Endpoints
   Advanced features → Web content filtering = On
   Rules → Web content filtering → + Add policy
Reports → Web protection → Web activity by category

Notice what’s missing? No PowerShell. No third agent. No new licence. Every step lives in a portal your client is already paying for.

Why this actually changes behaviour

Because you walk into the renewal with evidence, not a hunch.

“Here are 4,000 hits to gambling sites last month, off three machines.” That’s a discussion the business owner can act on. A quote for Umbrella is just a number they’ll push back on.

“But we already quoted them a web filter.” Fine. Now you can show them what they’d be paying for, and that they already own it.

A few things will bite you if you’re not watching for them:

Edge uses SmartScreen, everything else uses network protection. If network protection is in audit mode or off, your blocks are theatre. Lovely report, no enforcement.
Non-Microsoft browsers won’t honour HTTPS category blocks unless QUIC and Encrypted Client Hello are disabled. Leave them on and Chrome quietly routes around you.
Expect lag. Up to 12 hours before activity lands in the report, up to two hours before a block bites. Don’t test it in the first five minutes and declare it broken.

And when you genuinely need an exception, you don’t loosen the whole category. You carve out one site with a custom indicator, which sits above the filter in the order of precedence. Allow always wins over block. That’s your release valve when the boss insists on one specific site.

Run the audit, read the Web protection report, then block with proof in hand.

Web content filtering isn’t there to add a product to your stack. It’s there to delete one.

If you’re billing a client for a separate web filter on top of Business Premium, you’re charging them for something they already own. Show them the report instead.

That’s not filtering. That’s value you can prove.

Why "I Don’t Have a Good Idea" Is Almost Never the Real Problem

I have a conversation almost every week that goes the same way. Someone tells me they want to start their own thing. They want a bit more control over their time, a bit more income, a path that doesn’t rely on a payslip landing every fortnight. Then they sigh and say the same line: “I just don’t have a good idea.”

I used to nod along. Now I push back. Because in nearly every case, that’s not what’s actually going on.

The skills are already there

Sit with someone for half an hour and ask them what they’ve done in the last decade of work. You’ll hear about budgets they’ve cleaned up, teams they’ve coached, customers they’ve calmed down, processes they’ve quietly fixed without ever being asked. They’ve negotiated with suppliers, written training material on the fly, run projects with no formal authority, and kept things moving when the org chart said they shouldn’t have been able to.

That’s not a person without a good idea. That’s a person sitting on a stack of skills they’ve never priced.

The gap isn’t capability. The gap is translation — taking what they already do well and shaping it into something a stranger would happily pay for.

Why people freeze at the start

The freeze happens because “find an idea” is the wrong instruction. It sends people hunting for a thunderbolt — some clever niche nobody else has noticed, some product the world has never seen. So they wait. They scroll. They tell themselves they need to read another book or finish another course before they’re ready.

Meanwhile, the offer they could already build is sitting in plain sight: the thing colleagues keep asking them for help with, the problem they solved twice at their last job, the work they actually enjoy that most people genuinely struggle with.

The question isn’t “what’s a brilliant new idea?” The question is “what do I already do well that someone, somewhere, has a real problem paying to get done?”

Use the tools to pull the offer out of your head

This is where I think modern tooling — and Copilot in particular — earns its place for first-time business owners. Not because it hands you an idea, but because it pulls one out of you far faster than you could working alone with a blank notebook.

Open a fresh document in Word, switch on Copilot, and have it interview you. Ask it to walk you through your last five roles and pull out the recurring problems you solved. Ask it to draft three different one-page offers from those skills, each aimed at a different type of customer. Drop your LinkedIn profile into a Loop page and ask Copilot to suggest who would benefit most from the work you’ve already done. Then take the strongest lines into a Teams chat with someone whose judgement you trust and pressure-test them.

In an afternoon you can move from “I don’t have an idea” to three rough offers on a page. None of them have to be perfect. They just have to be concrete enough to test in a real conversation with a real person.

The shift that matters

Financial freedom rarely begins with a perfect idea. It begins with a good-enough offer, said out loud to the right person, then reshaped based on what they actually said back.

If you’ve been waiting for the lightning bolt, give yourself permission to stop. The idea you’re looking for is almost certainly already inside the experience you’ve already had. The job now is to get it out of your head, onto a page, and in front of someone who might say yes.

That’s a much smaller first step than most people think.