Confidential · Do not distribute · &DEV/SEC
■ Confidential Security Posture Assessment Ref: &DEV/SEC/2026-0714
Subject: Your firm  ·  Status: Exposed

Your clients trust you with everything. Your Microsoft 365 should be as careful as you are.

A fixed, expert uplift of your Microsoft 365 tenant — built for law firms, mortgage brokers and IFAs who cannot afford a breach, a regulator's question, or a client who quietly loses faith.

Book a 30-minute review Read the options
◦ Cyber Essentials aligned ◦ UK engineers ◦ No tie-ins
Exhibit 00 — Mailbox capture● Live
From   Karen Whitfield, client
Re     Completion funds — 14 Ashcroft Lane

"Hi — as discussed, please transfer the balance of £184,500 to account 40 21 66 / sort code 09 01 28 ahead of Friday. Let me know once it's away."

Hover to reveal what a resident intruder reads.
INTERCEPTED
Finding 01 — The order matters

We fix the tenant before we monitor it.

Most providers sell you a dashboard and call it security. We start by closing the gaps that actually let people in — misconfigured mailboxes, dormant admin rights, licences bought but never switched on. Only once the foundations are sound does monitoring mean anything at all.

Exhibit A

For a regulated firm, a breach is never just an IT problem.

§ 01

Client money

Redirected completion funds and invoice fraud land on the firm, not the bank. The sums are rarely small.

§ 02

Your regulator

The SRA, FCA and ICO all expect you to protect client data. “We assumed Microsoft handled it” is not an answer.

§ 03

Confidentiality

One compromised mailbox exposes years of privileged correspondence and sensitive personal data.

§ 04

Reputation

Referrals dry up quietly. Clients rarely say they left because of a breach — they just stop calling.

Exhibit B — Incident file

A real firm.
A real incident.
A full rebuild.

A twelve-partner practice came to us after a completion payment was redirected. The attacker had sat quietly in a mailbox for weeks, reading correspondence and waiting.

14:02

The tenant held licences for advanced protection that were paid for but never enabled.

14:09

A former contractor still held global admin rights nobody had reviewed in two years.

14:20

There was no alerting, so the intrusion went unnoticed until the money moved.

We rebuilt the tenant properly in days. The recovery had already taken months.

Remediation

Start where it makes sense for your firm.

Most firms start here
L1Baseline

Foundations, made right

A one-off uplift that closes the gaps and hands the tenant back to you, documented.

MFA enforced on every account
Admin rights reviewed and separated
Email authentication (SPF, DKIM, DMARC)
Written summary of what changed
Start with Baseline →
Most firms start here
L2Managed

Kept right, over time

Everything in Baseline, plus ongoing hardening as Microsoft and your firm change.

Everything in Baseline
Conditional access & policy upkeep
Data loss prevention & retention rules
Quarterly review, plain-English report
Talk about Managed →
Most firms start here
L3Full

Watched, so you needn’t

Managed plus monitoring and response — someone is watching the tenant so you don’t have to.

Everything in Managed
Monitoring & alerting on your tenant
Incident response when something moves
Staff phishing awareness training
Talk about Full →
Control schedule

What's included, control by control

Ref
Control
L1 Baseline
L2 Managed
L3 Full
SEC-01
MFA enforced across all accounts
SEC-02
Privileged / admin account hardening
SEC-03
Email authentication (SPF, DKIM, DMARC)
SEC-04
Anti-phishing & impersonation protection
SEC-05
Safe Links & Safe Attachments
SEC-06
Written uplift summary
SEC-07
Conditional access & ongoing policy upkeep
SEC-08
Data loss prevention & retention rules
SEC-09
Quarterly review & board-ready report
SEC-10
Monitoring & alerting on your tenant
SEC-11
Incident response
SEC-12
Staff phishing awareness training

● Included    ○ Not in this tier  ·  Fixed-scope uplift priced per tenant after the review. L2/L3 add a monthly retainer. Exact figures confirmed on the call — no obligation.

Note to file

What we don't do

i.

Rip out what works

If your setup is sound, we’ll say so and leave it alone. We’re not here to sell you things you don’t need.

ii.

Tie you into hardware

This is about your Microsoft 365 tenant. No servers to buy, no five-year contracts, no vendor lock-in.

iii.

Hide behind jargon

You’ll always get plain English and a written record a non-technical partner can read and act on.

On the record

Questions firm principals actually ask

General IT support keeps you working day to day; it rarely means someone has deliberately secured your Microsoft 365 tenant against a targeted attack. The two jobs are different, and we’re happy to work alongside your existing provider.

It has excellent security tools, but almost none of the important ones are switched on by default. We turn on and configure the protections you’re very likely already paying for in your licences.

The review is 30 minutes. The Baseline uplift is typically completed within a week or two, scheduled around your firm so there’s no disruption to fee-earners.

Almost never. Most changes happen behind the scenes. The main visible change is stronger sign-in, which we roll out with clear guidance so nobody is caught out.

Yes. The uplift directly supports the data-protection and confidentiality obligations those regulators expect, and the written summary gives you evidence of the steps you’ve taken.

The Baseline uplift is a fixed price per tenant, confirmed after the review. Managed and Full add a monthly retainer. We’ll give you exact figures on the call, with no obligation.

Request assessment

Book a 30-minute security review.

We'll look at your tenant with you, tell you plainly where the real gaps are, and leave you with a written summary — whether or not you go further with us.

✓  No prep needed from your side ✓  You speak to an engineer, not a salesperson ✓  Written findings, yours to keep

Received — we'll reply within one working day.

Something went wrong — please email hello@and.dev.

Reply within one working day · No marketing lists