I have hybrid configuration with centralized mail transport through my on-prem exchange server.  Mail flows fine but I found phishing emails from other tenants do not use my MX to route mail but, instead, they use the FQDN for my O365 tenant (MYDOMAIN-com.mail.protection.outlook.com) and exchange online accepts those messages.  Why?

I setup a transport rule to block inbound mail to exchange online unless it comes from my on-prem IP addresses with a forwarding rule.  The forwarding rule sends those emails to me.  I found that the phishing emails are now sent to me but also, valid Teams voicemail from from Other tenants are being caught by the rule and forwarded to me as well.

So why does exchange online accept mail from the internet and other tenants in a centralized transport configuration where my MX points to only on-prem?  Why do teams voicemails from other tenants not honor my MX record?  How do I fix that?