Hi Bart, Do you have SPF, DKIM and DMARC configured? You should not have to resort to transport rules to block phishing emails. ATP just added blacklisting capability so that you can add URL's into the ATP blacklist, avoiding the need to create transport rules. I understand that is not in your budget though. Another option is you can report these phishing emails to Microsoft. In the OWA interface, there is a junk menu - click that and in the drop down select Phishing. Another thing you can try is to make sure that 'Enable safe list' is not checked in the EOP Connection Filtering option. This is because some spammers will use legitimate websites like Godaddy to send emails which are technically in that safe list, so you may see a reduction of spam/phishing emails if you uncheck that box. In the EOP Spam Filter "Bulk email" settings, I recommend setting the threshold at '5' Lastly, in the EOP Spam filter advanced options, I recommend setting 'SPF record: hard fail: to ON" as this will make it harder for those sending phishing emails to get through SPF checks.
Try those out for a few days and let us know if that helps. I had another client try these settings and they said it was a big help for them.