You can simulate spam using this link:
https://o365info.com/simulate-spam-mail/
Best practices:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide
Config Ananlyzer:
https://www.powershellgallery.com/packages/ORCA/1.10.6
Tuning anti-phishing:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tuning-anti-phishing?view=o365-worldwide
After that, you monitor and adjust as necessary.
If you need to safelist senders, follow:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide
Ensure you have correctly setup your SPF/DKIM and DMARC records as well:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide
This is very important so that 365 can easily tell when external users are attempting to spoof your domain nd send inbound messages to your users!