From 33b4c04a4530a9bc001cf7e8980f77ab2eb78806 Mon Sep 17 00:00:00 2001
From: Mariam Nazih Morgan <109584685+mariammorgan@users.noreply.github.com>
Date: Fri, 12 Sep 2025 09:32:15 +0300
Subject: [PATCH 1/2] Update how-policies-and-protections-are-combined.md

in the section
Exchange mail flow rules (also known as transport rules):
When Mail flow rule blocks, if the message is spam or hspm or phish  still filter wins and not organization

Tested and confirmed on several tenant

Also see EOP filtering stack
https://learn.microsoft.com/en-us/defender-office-365/protection-stack-microsoft-defender-for-office365#phase-3---content-filtering

ETR set scl before our filtering content
https://learn.microsoft.com/en-us/defender-office-365/protection-stack-microsoft-defender-for-office365#phase-3---content-filtering

if ETR set scl to 5 or 6 it will be overriden by SCL of our Machine learning
---
 .../how-policies-and-protections-are-combined.md          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/defender-office-365/how-policies-and-protections-are-combined.md b/defender-office-365/how-policies-and-protections-are-combined.md
index a38e8303f8..b7357a5ea1 100644
--- a/defender-office-365/how-policies-and-protections-are-combined.md
+++ b/defender-office-365/how-policies-and-protections-are-combined.md
@@ -153,10 +153,10 @@ Organization allows and blocks are able to override some filtering stack verdict
   |---|---|---|
   |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
   |High confidence phishing|**Filter wins**: Email quarantined except in complex routing|**Filter wins**: Email quarantined|
-  |Phishing|**Organization wins**: Email delivered to mailbox|**Organization wins**: Phishing action in the applicable anti-spam policy|
-  |High confidence spam|**Organization wins**: Email delivered to mailbox|**Organization wins**: Email delivered to user's Junk Email folder|
-  |Spam|**Organization wins**: Email delivered to mailbox|**Organization wins**: Email delivered to user's Junk Email folder|
-  |Bulk|**Organization wins**: Email delivered to mailbox|**Organization wins**: Email delivered to user's Junk Email folder|
+  |Phishing|**Organization wins**: Email delivered to mailbox|**filter wins**: Phishing action in the applicable anti-spam policy|
+  |High confidence spam|**Organization wins**: Email delivered to mailbox|**filter wins**: Email delivered to user's Junk Email folder|
+  |Spam|**Organization wins**: Email delivered to mailbox|**Filter wins**: Email delivered to user's Junk Email folder|
+  |Bulk|**Organization wins**: Email delivered to mailbox|**Filter wins**: Email delivered to user's Junk Email folder|
   |Not spam|**Organization wins**: Email delivered to mailbox|**Organization wins**: Email delivered to user's Junk Email folder|
 
   <sup>\*</sup> Organizations that use a non-Microsoft security service or device in front of Microsoft 365 should consider using [Authenticated Received Chain (ARC)](email-authentication-arc-configure.md) (contact the service for availability) and [Enhanced Filtering for Connectors (also known as skip listing)](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) instead of an SCL=-1 mail flow rule. These improved methods reduce email authentication issues and encourage [defense-in-depth](step-by-step-guides/defense-in-depth-guide.md) email security.

From 3e3c5317732b9fb118e4b324643ebbe9c0a03fb3 Mon Sep 17 00:00:00 2001
From: Chris Davis <chris.davis@microsoft.com>
Date: Fri, 12 Sep 2025 08:25:31 -0700
Subject: [PATCH 2/2] Update date and fix casing in filtering stack

---
 .../how-policies-and-protections-are-combined.md            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/defender-office-365/how-policies-and-protections-are-combined.md b/defender-office-365/how-policies-and-protections-are-combined.md
index b7357a5ea1..df693c12f4 100644
--- a/defender-office-365/how-policies-and-protections-are-combined.md
+++ b/defender-office-365/how-policies-and-protections-are-combined.md
@@ -17,7 +17,7 @@ ms.custom:
 description: Admins can learn how the order of protection settings and the priority order of threat policies affect the application of protection in Microsoft 365.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 07/08/2025
+ms.date: 09/12/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Default email protections for cloud mailboxes</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -153,8 +153,8 @@ Organization allows and blocks are able to override some filtering stack verdict
   |---|---|---|
   |Malware|**Filter wins**: Email quarantined|**Filter wins**: Email quarantined|
   |High confidence phishing|**Filter wins**: Email quarantined except in complex routing|**Filter wins**: Email quarantined|
-  |Phishing|**Organization wins**: Email delivered to mailbox|**filter wins**: Phishing action in the applicable anti-spam policy|
-  |High confidence spam|**Organization wins**: Email delivered to mailbox|**filter wins**: Email delivered to user's Junk Email folder|
+  |Phishing|**Organization wins**: Email delivered to mailbox|**Filter wins**: Phishing action in the applicable anti-spam policy|
+  |High confidence spam|**Organization wins**: Email delivered to mailbox|**Filter wins**: Email delivered to user's Junk Email folder|
   |Spam|**Organization wins**: Email delivered to mailbox|**Filter wins**: Email delivered to user's Junk Email folder|
   |Bulk|**Organization wins**: Email delivered to mailbox|**Filter wins**: Email delivered to user's Junk Email folder|
   |Not spam|**Organization wins**: Email delivered to mailbox|**Organization wins**: Email delivered to user's Junk Email folder|