TL;DR if Booking Pages are enabled (the default, of course) users can create a mailbox for any alias they want on your tenant without admin consent. This is WILD.
Special aliases are used for verification purposes all of the time. Hereβs an example from HaveIBeenPwned:
Thank you Rolf Schwimmbeck for pointing me to it.