The authoritative source for Office 365 transport rules is the Microsoft Knowledge Base - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules
However, these examples should have you configure the anti-phishing service to quarantine messages.
An example if the domainimo or senderimp flags are present, route the email to an admin quarantine and alert the admin to review and release if safe.
Create a new rule:
Name: PP - Impersonation
Apply this rule if the message header / includes any of these words
Specify header name - X-PhishProtection-Warning
Enter words: senderimp, domainimp
Redirect the message to / hosted quarantine