I have a non-profit customer that I'm currently setting up a hybrid configuration for. We recently got them set up with a new server with Exchange 2016. They used Office 365 for their second location that is now combined with the first and on their local domain. During the first part of the migration I changed over their MX records to look directly at their external IP for a standard configuration, but the amount of spam they were getting was ridiculous. So, last night I changed their MX record to look to Office 365 (they don't mind still paying their minuscule non-profit pricing for O365 just for the spam filtering) and configured the connectors on O365 to forward the mail onto the on-prem server. That all works fine, but they are still receiving a large amount of spam. I'm not seeing any of those messages being passed through O365, so i'm assuming it's all being sent to their outside IP address and the Exchange server is still delivering them. My question is how do I set up the receive connector so that it only accepts outside mail from O365. I've set up internal spam filters before where you just have it only accept mail from a single IP, but Microsoft has so many IPs, it doesn't look like I can do that. Any suggestions would be great!