Is there something wrong with M365 spam filtering?

Hello ljblackhall 

The Exchange Online Protection (EOP) scanning mechanism is subject to so many factors, when categorizing an inbound email, which includes the reputation of the sender's domain and IP. The reputation of a domain or IP changes overtime depending on how it is being used to send emails over the internet. You could check the IP and domain reputations of an email with the tool below:

https://talosintelligence.com/reputation_center/

If the email was received into the user's junk folder, then the user should report the email as not spam so the EOP engine improves on its classification techniques, for subsequent emails from the reported sender(s). The user may, also, add the sender's email to their trusted sender's list, especially, if the reputation remains bad.

As an administrator, if you have the subscription that includes Microsoft 365 Defender for Office 365 plan 2, you should check for the delivery action of the reported email in the https://security.microsoft.com/threatexplorerv3 of your Security portal.

Also, you should align your security configuration with best practices as described in the useful article.

In addition, it is important to note that the preset security policies (standard or strict), if turned on takes precedence over the custom policies.

Useful Articles

https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365

https://learn.microsoft.com/en-us/defender-office-365/mdo-deployment-guide

Please do not hesitate to contact me with useful questions you might have on this issue.

Thank you.