• not enough ? Yes, maybe, but surely better than nothing and can raise user attention. We all agree.
• According to Researchers that have identified this vulnerability, this feature can be (easily) bypassed by manipulating CSS within HTML emails, allowing malicious messages to appear without the warning intended to protect users.

How:

The method involves using specific CSS rules to hide the safety tip, making it invisible to recipients.

• CSS can be applied to anchor tags to prevent the tip from displaying, and other rules can change text color to white and size to zero, effectively blending it into the background.
  a { display: none; } td div { color: white; font-size: 0px; } [...]
• This manipulation can also create a deceptive appearance of security, as attackers can also spoof Microsoft Outlook's security icons.

And now ?

Despite Certitude reports this vulnerability to Microsoft, the company has opted not to address it immediately, stating that it does not meet their criteria for urgent action. Microsoft acknowledged the validity of the findings but indicated it would be considered for future product improvements.
"We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks. However, we have still marked your finding for future review as an opportunity to improve our products. Microsoft MSRC, 14.02.2024".

Credits: certitude consulting - o365-anti-phishing-measures