A colleague of mine shared https://www.reddit.com/r/sysadmin/comments/1mdqn17/comment/n65sg9o/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button on how to monitor what is actually being sent to your tenant via Direct Send via a clever Transport rule. I set it up for myself, so far so good. Using this method to "test" and see what is coming at us using Direct Send before I enable RejectDirectSend in EXO without have exceptions in place for legitimate traffic.
Blocking the sending IP from the header data (the IP that comes after the (127.0.0[.]1) in the header) in my Anti-Spam default policy has proven very effective at stopping this traffic for my tenant completely, until the next IP relay is used of course.