The authoritative source for Office 365 transport rules is the Microsoft Knowledge Base - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules


However, these examples should have you configure the anti-phishing service to quarantine messages. 

https://admin.exchange.microsoft.com/#/transportrules


An example if the domainimo or senderimp flags are present, route the email to an admin quarantine and alert the admin to review and release if safe.


Create a new rule:


Name: PP - Impersonation

Apply this rule if the message header / includes any of these words

Specify header name - X-PhishProtection-Warning

Enter words: senderimp, domainimp

And

Redirect the message to / hosted quarantine