Problem: You implemented our Office365 lockdown rule and even with the recommended exceptions, some internally forwarded emails still get blocked by the rule.
Reason: When UserA@yourdomain.com forwards an email to UserB@yourdomain.com in office365, for some reason Office365 sees those Emails as External instead of Internal. If you look carefully at the header of the reject notification, you'll see a line like this:
x-ms-exchange-crosstenant-authas: Anonymous
This entry can have two values: Anonymous (external email) or Internal (it's an internal Email sent from one user to another in the same tenant).
For some unknown reason, office365 decides that a forwarded Email from an internal user to another internal user is still regarded as external.
Workaround:
Usually these forwarded emails have a resent-from line with UserA@yourdomain.com as the resent from value. So the trick is to add another exception to the hardening rule to look for resent-from as the header element, with yourdomain.com as the value.
Example:
This workaround should apply to any internal forwarding except for calendar invite forwards, the other exception we already recommend covers that one.