Advanced Office 365 Routing: Locking Down Exchange On-Premises when MX points to Office 365

idspispopd I already shared this with you offline, but let me also reply to this comment as it could help others in the same situation. For this UM messages where there is no Return-path, you can try a different logic for lockdown’s rule:

• Condition If “X-OriginatorOrg” matches: “$”

• Action Reject (test it for a couple of months using “generated incident report” before reject)

• Except If “X-OriginatorOrg” matches: “contoso.com or contoso.onmicrosoft.com or (all EXO accepted domains)”

Basically, the rule doesn’t rely on the Internal/External condition, but it will looking for the X-OriginatorOrg presence. If we find any header containing X-OriginatorOrg, we are sure that someone sent it bypassing the 3^rd-party antispam. The reason is that X-OrinatorOrg is only accepted by Exchange if the message was sent through mail.protection.outlook.com STARTTLS. Your antispam will accept this header, but when the antispam send the message to the Exchange, this header should be stripped as your antispam doesn’t has  mail.protection.outlook.com certificate.

When I say “should” is because there is some caveat to be aware. The receive connector that accepts messages from the 3^rd-party antispam cannot have Externally Secured permission, otherwise it will accept X-OriginatorOrg from your 3^rd-party antispam.