You can use the Microsoft 365 Authorization table in Email Security.cloud (ESS) to mark legitimate X-OriginatorOrg identifiers as authorized.

The table lists Microsoft 365 Organization IDs that do not match a domain listed under My Domains or Third-Party Domains in Email Security.cloud (ESS).

Use the below table to review, authorize, add, or remove organization IDs.

• Navigate to Platform>Outbound Routes>Hosted Email Services as shown in the below screenshot.
• In the Service list, locate the Microsoft 365 row and click the Configure button. The Microsoft 365 Authorization table appears.
• Review the entries in the authorization table and take one of the following actions for each entry in the table.
  - If you recognize an organization ID and want Email Security.cloud to relay email from that tenant, select Authorize.
  - If you do not recognize an organization ID, do not authorize.
  - If a known Organization ID is missing from the table, enter the tenant's Organization ID in the input field above the table and click Add.

Next steps : Monitor the authorization table regularly. Remove any entries that are no longer required. Report suspected abuse to Microsoft.