Okay, Okay sorry for the delay on getting this out to everyone I wanted to be thorough.

I dont know everyone's skill or expertise so I'm going to explain it like I would to someone who's never touched exchange.

Go to Exchange Admin Portal > Mail Flow (drop down) > Rules (option on drop down) > Add a Rule > Create a new rule

1. Name the rule to idenify it when it fires (it will be in the notification email that we'll talk about further down)

2. Apply this rule if.. Select "The message headers..."
   2a. Then where it says "select one" click drop down. Select "Includes any of these words"
   2b. Click the blue text that says "enter text" on the left. Enter "Authentication-Results" but without the quotes and click "Save" at the bottom.
   2c: Next click the second blue text "enter words" once again you'll be prompted to add text. You'll enter " spf=fail" but without the quotes. Click add then click save.

3. To the right of "Apply this rule if" you will see a + icon click this to add another "apply this rule if" line. (You'll then see the new line has And at the top of it. This is adding an additional condition for the rule.)
   3a. Set the first drop down to "the sender" and the second drop down to "domain is"
   3b. This is pop-up a new window. Enter all your domains you own. for example: test123.com then click "add" then Save at the bottom.

4. again we're going to click the + icon at the top to add another row. Once you click it you'll see another condition with and above it.
   4a. first drop down select "the message headers..." The second drop down select "matches these text patterns.
   4b. Click the blue text that says "enter text" on the left. Enter "Received-SPF" but without the quotes and click "Save" at the bottom.
   4c. Next click the second blue text "enter words" once again you'll be prompted to add text. You'll enter " helo=\[127\.0\.0\.1\]" but without the quotes. Click add then click save.
   NOTE: I know the text is odd but this is regex update to look for specifically "127.0.0.1" which is local host and is in every spoof email you've received and the way it is formatted has meaning trust the process. I'll let you chatgpt it if you want more info can be

5. Now click on the drop down for "Do the following"
   5a. first drop down click "forward the message for approval" second drop down click "to these people"
   5b. Now enter the admins you want to approve these emails.

6. For settings tab at the top
   6a. Set priority to #1 so it is the first rule every email goes through.
   6b. Rule mode Set to "enforce"
   6c. Severity set to "high"
   6d. at the bottom set "match sender address in message" to "header"

BOOM you're done his save on that bad boy and be the IT hero.

NOTE: this is a temporary thing.. Once you've let this run for a week and nothing is getting stomped on internally you can change the last "do the following" to delete the email or send to quarantine.
NOTE 2: If something is getting stomped on.. no biggie.. approve it and it will be sent to the email / distro it was supposed to. then just add an additional condition to allow it through. but I'm 99.999% sure this will take care of everyone.

I'm including an image of what this should look like when done.