Hopefully everyone is well aware of the need to protect Office 365 email from inbound spam, however what are you doing about outbound spam?
Hopefully, no bad actor gains access to your environment BUT if they did and they started using you accounts to send spam email how would know?
For this reason, I suggest that it is a good idea to go into the Exchange Administration console, select Protection, then Outbound spam. Edit the default policy (that’s really your only option), then select outbound spam protection on the left hand side. Then I suggest you should enable the option to send an email when there is a suspicious outbound email to somewhere that is monitored.
That obviously, won’t stop outbound spam but it should at least give you a heads up that it is happening.