I personally would put it in EXO and use the EDR solution for analysis.
Non-domain workstation for suspicious emails
We have an on-premises mailbox (user account) that allows our users to send emails that they think are suspicious. The account logs into a non-domain workstation using OWA. Our users are in exchange online. we are hybrid. Management wants to know if this mailbox can be moved to exchange online and what do we have to consider. We still want to use the non-domain workstation for the account logon. How do I configure this account in exchange online? Anything special because of its' use. Someone mentioned conditional access and 2 factor authentication will need to be configured for this account. (details not given). Any suggestions? I appreciate your help. Thanks.