Does Exchange Online not apply spam filter to mailbox forwarded messages?

Depends. If they are forwarded internally, they might skip some/most checks.

Hi Vasil -
Yes it's instant but I cannot tell if that's instantly after or before O365 runs their spam/phish detection on them.

Not sure what you mean by "instant", I meant internal as in forwarded to another mailbox within the company. In any case you should look into the message headers and run a message trace.

By instant I mean as soon as a the message lands in O365 via the mx record, Exchange is forwarding it, even if the thing is a complete and total phishing e-mail. If I leave it to also deliver to inbox of the mailbox that's forwarding it, they'll actually quarantine such e-mails. But they won't quarantine it before it forwards however.

The "instant" part is expected if forwarding is set via the forwardingaddress/forwardingSMTPaddress attribute or a transport rule, basically Exchange intercepts the message before it's delivered and redirects/copies it as needed. If the message is an obvious phish, that shouldnt cause it to bypass any form of scanning though. Do you perhaps have some transport rule that marks "internal" email as safe? Again, check the headers/message trace - it should give you an idea why it wasnt marked.

The e-mail is in O365 Exchange quarantine as  "Phish" yet the e-mail still forwarded out to the external address set for forwarding.

redirect happens first before hitting EOP:

2020-04-07_11-38-52.png

Thanks I'll report back Microsoft's remarks.

I got with O365 phone support. They said this is working as intended.
It appears they just assume that the recipient e-mail servers will honor their tags they put on the message.
So they're telling me to re-do it as a mailflow rule or something, since clearly redirection bypasses their spam filtering.