The authoritative source for Office 365 transport rules is the Microsoft Knowledge Base -

However, these examples should have you configure the anti-phishing service to quarantine messages.

An example if the domainimo or senderimp flags are present, route the email to an admin quarantine and alert the admin to review and release if safe.

Create a new rule:

Name: PP - Impersonation

Apply this rule if the message header / includes any of these words

Specify header name - X-PhishProtection-Warning

Enter words: senderimp, domainimp


Redirect the message to / hosted quarantine