Emails from 365 tenants or outlook.com ignoring MX records - bypassing VIP protection checks.

Hey Folks,

I've setup the email advanced on a test domain in my organisation for the sole purpose to see how the VIP protection works (and other items, but they're not in question here).

So it's all setup and seems fine, I get the impersonation banner etc. but only if I send my test account an email from my gmail.

Gmail > 365 test account > marked as impersonation

outlook.com > 365 test account > not marked (seems to take a single hop and lands in mailbox).

other 365 tenant > 365 test account > not marked, similar to above.

Bearing in mind I am not sending to my actual account, my test account is named differently as I know impersonation protection doesn't work to yourself, based on the presumption you would know you're not scamming yourself.

My concern is if this doesn't protect against outlook.com and other 365 tenants impersonating then it's only partially effective as anyone can create outlook.com accounts.

Anyone else had/seen/fixed/cried themselves to sleep over this?

Cheers

Ian