Exchange Online Protection anti-spam / anti-phish policy stacking

Most people think email security in Microsoft 365 is a switch. It’s not. It’s a stack.

And the stack runs in an order you don’t get to vote on.

I see the same thing on tenant after tenant. Someone opened the anti-spam policy years ago, nudged a slider, ticked a box they’d read about on a forum, and walked away. The default phishing policy has never been touched. Connection filter? Empty. Then a dodgy invoice lands in the MD’s inbox and everyone’s surprised.

Here’s the part that catches people out. Those custom tweaks you made? They might be the reason the bad mail got through.

Stop hand-building policies. Turn on the presets and learn the order things fire in. That’s the whole job.

What is policy stacking, really?

Every inbound message runs a gauntlet. Connection filtering checks the source IP. Anti-malware scans the payload. Anti-spam scores the content. Anti-phishing checks for spoofing and impersonation. Each layer has its own policy, and each policy has a priority number.

That’s not one setting. That’s five layers, each with its own verdict, stacked on top of each other.

The catch is precedence. When two policies could apply to the same person, only one wins — the one with the highest priority. Your hand-rolled custom policy beats the preset. The preset beats the default. So if you built a loose custom anti-spam policy back in 2021 and switched on the Standard preset last week, the custom one still wins. The preset you thought protected everyone is being skipped for those users.

Microsoft lays out the full order of precedence — read it once and it’ll save you a dozen support tickets.

Step-by-Step: turn on the stack

You do all of this in the Microsoft Defender portal. No PowerShell. No Exchange admin center.

Open the presets

Go to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Preset Security Policies.

Turn on Standard for everyone

Flip Standard protection to On and apply it to All recipients. That covers anti-spam, anti-malware, anti-phishing — and, if you’re licensed for Defender, Safe Links and Safe Attachments — all on Microsoft’s recommended settings, all maintained for you.

Turn on Strict for the people who get targeted

Flip Strict protection on and scope it to the MD, finance, payroll, and anyone with signing authority. Strict catches more and complains more. That trade is worth it for the accounts attackers actually go after.

Add your impersonation names

In the Strict wizard, add the names and addresses of your VIPs to impersonation protection. This is the bit that stops “Hi, it’s the boss, can you buy some gift cards.”

Delete the cruft

Go back to your custom anti-spam and anti-phishing policies. Any old one that’s weaker than the preset is now a hole. Remove it, or you’ve armoured the front door and left a window wide open.

Notice what’s missing from that list?

Inbound mail flow:
  Connection filter → Anti-malware → Anti-spam → Anti-phishing

Standard preset  → All recipients
Strict preset    → VIPs + impersonation list

No sliders. No SCL thresholds. No ASF tick-boxes you read about once and never quite understood. The presets carry all of that, and Microsoft updates them as the threats move. You’re not tuning a spam filter any more. You’re choosing who gets the strong one.

Why this actually changes behaviour

“We’ve always had email security on.”

Sure. But “on” and “correctly ordered” are two different sentences. Most tenants I audit have layers fighting each other — a custom policy quietly overriding the preset, an exclusion nobody remembers, a default policy doing the bare minimum for half the staff.

Presets end that argument. Everyone gets a known-good baseline. Your VIPs get more. And because the settings aren’t yours to drift, the config still makes sense in two years when someone else opens it.

For an MSP, that’s gold. You deploy the same posture across every client in an afternoon, document it in one screenshot, and stop defending slider choices in a review. Consistency is a security control. Drift is the vulnerability.

If you’re still hand-tuning spam policies client by client, you’re doing unpaid work that makes them less safe.

Turn on the presets. Fix the order. Delete the rest.

That’s not a spam setting. It’s a security baseline — and it’s already in the licence you sold them.