Well....that's how I found out about it when I took on my current role. We had pretty solid phishing attempt slip through. I was able to spin up a VPS as test it on mine and some other known tenants as well (with their permission). And since o365 uses a predictable name for their SMTP receivers for a tenant (domain-com-net-whatever.mail.protection.outlook.com)its easy to kind of....select targets and test it out.
So even if its not listed on the domains MX record but you can suss out they are an office365 tenant receiving mail, you may be able to relay off it and spoof to high heavens (especially if the edge device reccomends you....ahem...whitelist your own domain and not use transport rules). In fact especially if you can do this.
For example i think MS forced proofpoint to change their config recommendations as an outcome.[1]
from the page on [1]:
"Due to major complaints, Proofpoint has opted to change change to the format of ensuring Proofpoint mail is not scored via the O365 system. This rule will allow external email to come in still, but will follow O365 scoring. This is to ensure no mail is lost."
