@tonysperbeck, you are very right; people should pay attention to this. I am not sure why this is even a feature if anyone can spoof real emails within the organization; I regret enabling this feature vs the transport rule (it is too late to roll it back as I read your comment and tested in 09/2024 ). People will have a false sense of security, so ensure your DKIM and SPF are correctly configured. I am listing again what tonysperbeck said - credit to him for testing this .. Also something to add it does not work on native IOS and Android on mobile phones. 09/2024
Just an important note about this feature to share with you all........
Per Microsoft's design, the IsExternalSender MAPI property is not set to TRUE if an external sender spoofs an SMTP-address that is assigned to a mailbox within your Exchange Online organization. This is important for your mail users to be aware of, as the "External" call-out will not be applied to messages that spoof fellow mail users from the same Exchange Online organization.
So do not have your employees rely on this "External" call-out to differentiate someone maliciously phishing as an executive employee giving directions to do things.
While DMARC policy can route such spoofing messages to the Junk Email folder, they still will not have the "External" call-out applied to them by Outlook.