Nov 28 2018 08:17 AM
Nov 30 2018 02:54 AM
That's right, this is not a supported scenario. One of the consequences, as you rightly identified, is the stripping of certain X-headers which causes the 'X-MS-Exchange-Organization-AuthAs' header to get stamped as 'Anonymous'.
This can be overcome by creating a transport rule in your on-premise Exchange to stamp "X-MS-Exchange-Organization-AuthAs: Internal" (for mails matching a pattern that proves it's originating from O365). However that's not the only issue you'll notice, which is why this setup is not supported in the first place. I'd recommend by-passing the spam filter for all mail traffic between on-premise hybrid servers and O365.