I have a issue where I have an ex-employee sending email threats to internal employees from random email addresses. At present is would appear that the ex-employee is being informed by another internal employee as soon as we block the address. The email is targeted in a foreign language to a specific group of users.
Question: How do we block these emails when they come from various domains and random email addresses?
Can I create some kind of smart exchange online rule or set a defender policy to stop this?
I can't really see any way you can detect this with any real accuracy. If you know that these are from a particular language you can set an anti-spam rule with language as one of the detections, but if you get legitimate email using these languages, then you will get lots of false positives