We got quite a bit of phishing/spamming lately so my IT support colleague has recommendation below:
for your inputs/views if the recommendation below is good or any other alternative best practices out there:
We don't have Proofpoint or email security gateway.
"Note that we should keep the Exchange Online rule/filter as empty as possible as rules filtering affects performance on the Exchange Online; every rule/filter is processed on every single email individually, delaying email delivery eventually.
Recommendation is to perform the blocking at our Exchange Online first (for faster turnaround) and highlight the phishing/spamming source to our host (ie MS team supporting O365) and allow them to take the appropriate actions at their end as ultimately, the RBL/DNSBL relies on the origin/host backend infrastructure.
After acknowledgement from the origin/host on the actions taken, we then remove the rule/filter from our Exchange Online"