A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user (CVE-2021-1730).

To prevent these types of attacks, Microsoft recommends customers to download inline images from different URL than the rest of OWA. 

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730

Basically, you need to change both the external & internal download hostname to a different domain name.