Hi,
For your requirement, I would suggest that instead of creating the filter, you can create a new policy for the particular domain (hd.onmicrosoft.com).
From the example filter shared, I can see that you are using mail-from header not equal to check which allow emails with a different "mail-from" header and "from" headers and hence it might bypass. Examples any email with mail-from header value as "abc@imposter.com" and from the header as "xyz@hd.onmicrosoft.com" will match this filter.
When you define a domain incoming mail policy, it will match the below three headers:
1) Mail-From
2) From
3) Reply-To
User matches are evaluated as a top-down fashion, first match wins.
Please check below article for more details:
https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/212808-configure-flexible-mail-policy-match-fea.htmlI hope the above information helps.
Cheers,
Pratham