Best way so far I've worked out is to create a policy looking for *@organisationA.com in both the sender/recipient addresses, then using a blacklist in that policy for *@organisationA.com to then quarantine it.
Doesn't seem the best way. Any other suggestions?
go to email -> email configuration -> receiving email -> permit and deny lists -> Permitted and blocked senders
put your internal email server ip to "permitted senders"
and your Domain into "blocked senders"
Emails from senders / networks / domains in this list are always refused unless overridden by an entry in the permitted senders list.
a possible alternative to Permitted/Denied Senders/IPs is to make use of SPF filtering in sender authentication section of the policy you use for filtering inbound email primarily. This also implies having a what is called SPF TXT record in your DNS server facing the internet. In this SPF record your organization would list what IP/domain is permitted to send mail on your behalf. Once that is in place, you can activate the SPF filtering in the email filtering policy.
SPF filtering is otherwise useful if you do not have your own SPF TXT record, because many organizations out there do, and you can filter mail with fake senders from those organizations.