Hi @Steve Russell ,
- Start with a message trace or historical trace to check if there are emails originating (Outbound) from your tenant, which appears to be of a domain which you don't own or onboarded yet.
- Setup a Transport rule to trigger reports for all emails except your own domains as senders for External emails
- Once you identify those emails, you can do pin point investigation to identify the source of that email and remediate according to that
- In addition as suggested by Kyle you might find more details on the alerts when viewed in the portal.
Regards,
Satyajit