Brian, whitelisting your office IP is really the only way to prevent the brute force rule enforcement. Is there a reason you don't want to whitelist your office IP? Also, what settings for the brute force detection rule are you currently using?
One improvement we could possibly implement in SM, is to keep a list of attempted passwords and increment a counter of each unique password. Most mail clients and their users would likely use the same password repeatedly instead of radically changing up the password attempts like "real" brute force attackers. After XX many unique failed attempts (or YY many attempts with the same password?), the user's IP would be blocked.