We also receive a lot of spam from outlook.com since a long time. 

Having same issue here where onmicrosoft.com domain is getting through all the filters. I have not found a common ground where to create a filter. This is currently our biggest issue with Spam right now.

This is how I have defended against these attacks:

Attack1:  MailFrom = user@<domain>.onmicrosoft.com

<domain>.onmicrosoft.com is intended as a transition tool for organizations that are onboarding to Office365.

Normal mail should not be sent from @<domain> after onboarding is complete.

I quarantine by default for *.onmicrosoft.com and *.onmicrosoft.us, with three exceptions granted so far to legitimate senders.

Attack 2: MailFrom = Null (includes but not limited to outlook.com servers

1) Detect null sender in Declude:

MINWEIGHTTOFAIL 1
NULLFROM filter: MAILFROM 1 NOTCONTAINS @

2) FROMTEST filter:   

Do non-standard SPF lookup using FROM address instead of nulll Mail From address

(Declude's built-in SPF test does not handle mutliple-segment SPF records, so I use a custom one based on Python PYSPF.  I just call it with a different address to do the non-standard lookup.) 

3) NULLISOK filter: 

MINWEIGHTTOFAIL 1

MAILFROM    1     CONTAINS @

TESTSFAILED     1       CONTAINS DKIMCHK-SIGNEDOK

TESTSFAILED     1       CONTAINS FROMTESTPASS

HEADERS        1    CONTAINS auto-submitted

The DKIMCHK test compares a DKIM sign to the From address and is based on Python DKIMPY.

The last header asserts that the message is either a bounce (undeliverable) or auto-reply (out of office), and is probably the most important part of this defense.

4) NULLBLOCK filter:

MINWEIGHTTOFAIL 3

MAILFROM    2     NOTCONTAINS @

TESTSFAILED     1       NOTCONTAINS NULLISOK

Attack 3: Non-existent Mail From domain

I also customized PYSPF to report NXDOMAIN as a special case.   If the Mail From account returns "non-existent domain" on the SPF lookup, the domain does not actually exist and the message should be blocked.  (This is infrequent:  I have 3 messages so far this month, and not from outlook.com.   But it is a very reliable block rule.)

Thanks Douglas.. am looking at doing that now....

I do have a question for SM folks... 
SO since it is the weekend and I had some testing time available I set up the following SPam Custom Rule

Did this for simple test..  

So I was expecting the system to assign spam rating of 20 for any email that had a Return Path that contains:

onmicrosoft.com ...  but it doesn't  listed below is the header

'============================================================

Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2097.outbound.protection.outlook.com [40.107.223.97])

    by mx4.availx.com with SMTP; Sat, 20 Jan 2024 12:22:33 -0600

Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11o

X-SmarterMail-SmartHostSpam: SpamAssassin [raw:-2]: -5, DK [None]: 0, DKIM [None]: 0, Declude: 26

X-SmarterMail-SmartHostSpamWeight: 21

X-SmarterMail-SmartHostSpamSalt: 1791418688

X-SmarterMail-SmartHostSpamKey: -528871461

X-Exim-Id: 9a322494-7ff3-41a8-9930-c094bc52f020

Content-Type: text/html; charset=utf-8

Content-Transfer-Encoding: 7bit

X-SmarterMail-Spam: DMARC [skipped - DMARC Disabled]: 0

'=========================================================

What do I have set up wrong?

I suspect that Return-path is added by SM after your test has been performed.  Try applying the test to the From header instead 

So I changed to FROM:  .. and no nothing.  Still getting zero spam assigned by the SpamRules check