DBEB in Exchange Online Protection should reject inbound emails to addresses not found in the internal directory. If I send an email to a made-up address (firstname.lastname@example.org) from an external mailbox, I do get a NDR saying 5.4.1 access denied. So far so good. But when I send an email that we deleted back in year 2011, from our internal AD and onprem Exchange, the email is accepted by the DBEB and processed by the MTA. The result gives an NDR as well, but with "not found in the smtp addressbook". Why is DBEB accepting a user that we deleted 10 years ago, a user that was deleted many years before AD Sync to Azure and the Exchange Hybrid setup? I assume there are something left in AD/Exchange, but where shall I look for it?