How about policing CSAM at all? I can still vividly remember firehose API access and all the horrible stuff you would see on there. And if you look at sites like tk2dl you can still see most of the horrible stuff that does not get taken down.
Your on premise exchange server has zero connections to outlook.com. OWA (Outlook Web Access) looks similar to outlook.com but has otherwise nothing to do with it.