I've had a case open with 365 Support for two months now and we continue to chase our tails. They pointed us to this URL about upcoming SRS features that could help us.
All our mailboxes are in the cloud, but we have ~400 DDGs spread across ~100 e-mail domains for remote offices that existed prior to migration to Exchange Online. We don't have SPF, DMARC or DKIM records on any of the domains which we do not send from.
Actual user mailboxes only send from 3 of these domains so most of those domains are receive only. Those DDGs reference OUs and custom attributes that won't sync to O365 and it'd be a nightmare to redesign them. Because the DDGs need to be expanded by the hybrid on-premise server, external email goes first to the (pre-O365) 3rd-party security service (our MX record), which relays to the Exchange 2013 hybrid server. Hybrid re-routes to final destination on O365, with no e-mail services in between hybrid and cloud. Yes, I know 2013 is out of support recently, but I've been hampered by 1) unclear directions on how to migrate it to a later Exchange on a later OS and 2) internal management's desire to place a different project higher on the priority list.
The challenge we have is that after enabling Defender for Office 365 in mid-April, we get a ton of false phishing positives being quarantined. We noticed one scenario where a message coming from an external domain such as gmail.com which was sent to a DDG, will have its sender address rewritten as the e-mail address of the DDG. In the quarantine portal, it shows that the sender was from an internal domain and not gmail.com, which I believe is at least part of our false positive problem.
We have two enabled outbound connectors on the hybrid, with different weighting. The connector which goes to O365 has a scoping cost of 1, and the one which goes direct to internet has a scoping cost of 10.
I cannot locate anything on the hybrid outbound connectors talking about rewriting, and that doesn't surprise me due to its age. But 1) I see nothing about SRS in the HCW, 2) it's not referenced in the cloud inbound router, and 3) it's false in the cloud outbound connector.
Will any of these upcoming SRS changes alleviate our situation? If not, any other ideas towards resolution?