Hi,@David Kohler
Thanks for posting your question in the Microsoft Q&A forum.
You have three anti-phishing policies in place. You send a test email posing as a protected sender to three people, but they are all quarantined.
As for the other two emails, although they were not sent to protected recipients, since their display names were the same as protected senders, the Office365 AntiPhish Default policy (as the default policy) was also able to identify and quarantine these emails using the "Impersonating User" detection technology. This is probably because the default policy is also configured with the same settings as the Impersonation Protection policy, so it is able to identify this type of impersonation behavior.
Typically, even if the emails are not sent directly to protected recipients, as long as the display name of the protected sender is included in the email, these emails may be identified as impersonation attacks and quarantined.
For details, you can refer to this URL: Anti-phishing policies - Microsoft Defender for Office 365 | Microsoft Learn
If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.