I have also seen a similar example. I was working through the settings on a remote session with a client of mine and we added the CEO to the list and I left them to add the remaining "important" users to the list. They did not! A few weeks later they got a phish, it was reported internally and the report made its way back to me. One email in the phish campaign was stopped and the other was not. On looking we saw that the one that was stopped came from a display name that matched the CEO and the second email came from a display name that matched the CFO. The email "from" the CFO made it into the users mailbox as ATP had not been configured to consider this display name a high risk account! We updated the policy and told the client to ensure that they added all the "important" mailboxes to the policy (and if over 20 mailboxes, create a second policy and carry on)