Why did this incoming email get through Office 365 spam filters ? What policy do I need to "tune"?

I have just had a client contact me to say he has just had a lot of his contacts spammed with a fairly well crafted phishing email that appears to have also originated within Microsoft's own Exchange Online infrastructure and been the same result of some kind of cross tenancy exploit. My money is on that there is some kind of out-of-the-box security vulnerability that appears to be allowing some kind of cross tenancy exploit within their infrastructure. They will, no doubt, be more than tight-lipped about such a vulnerability. Their usual channels for reporting these kinds of things, which are no doubt heavily automated, in my opinion will be inadequate for the seriousness of this matter. I will be trying to open a direct support case with them. Let's see how well they handle this. I won't be holding any high expectations...

As a foot note, it seems most other replies to you OP are making references to general spam events and prevention methods. They appear to be missing the fundamental and critical reference to a cross tenancy issue, in your OP. i.e. The spam originated from within Microsoft's own infrastructure. So, geo-blocking or IP subnet/range blocking aren't going to make a blind bit of difference.