Configuring Spam and Protection for Office 365
Email deliverability and Spam issues are specific exclusions under the included support with CSP. Our partners are expected to do the day to day administration of their client's tenancies and make the changes required to fix issues. In the case of service or infrastructure issues then you can request an escalation case to Microsoft.
I would start by reviewing https://support.office.com/en-US/article/Office-365-Email-Anti-Spam-Protection-6a601501-a6a8-4559-b2e7-56b59c96a586 and using some of the suggestions and sub-pages there. You will also need to review the headers of some of these emails and work out why they are being delivered to inboxes and by what method they are also. This article is a little old but the questions in it still apply today and will start putting you on the right track.
The second thing you should be doing is confirming is that your SPF records are set for all domains added to the tenancy, and they are correctly configured and are not letting spam through (confirm ending with -all, not ~all). DKIM configuration should also be completed and these two things in place should reduce your inbound spam load significantly as the messages will be rejected at the perimeter.
Finally, you should be getting users to report the spam that is making it through to the inboxes. You will need to install the add-in for Outlook viahttps://www.microsoft.com/en-au/download/details.aspx?id=18275 or they can simply right click and select 'Report spam' if in OWA/Webmail.