From something i read a while ago when you enable passwordless entra resets your password to something that stupidly long I don’t actively make them that long even in my password manager.

I’d never heard of bypassing a corporate phishing test using an email filter.
github.com/postmodern/phishing-training-sigs
Add a rule in outlook/thunderbird if any of those are in the email header toss it to a folder specially for phishing emails. Doing it org wide makes no sense as you say but if you know enough about emails to read the email header you likely aren’t the target for the phishing training.

I am well aware of evilnginx :D