Customer had configured an Exchange 2010 SP3 based hybrid. Later on, they had to replace the certificate used for mail flow and a few other hybrid configuration related things. After doing so, EXO users could no longer send mail to on-premises Exchange users. After some troubleshooting (which included looking in the receive connector protocol logs), I found out that EOP tried to establish SMTP sessions to the default receiver connector and not the Inbound Office 365 connector created by the HCW. Via the protocol logs, I also noticed that the source IP address wasn’t from the EOP IP range, but appeared to be one from the on-premises environment.
Turned out customer routes all inbound messages through a hardware load balancer and after adding the VIP address associated with the SMTP virtual service on the load balancer to the Inbound from Office 365 receive connector mail flow from EXO to on-prem worked again.
Lesson learned: When updating the HCW, the list of source IP addresses on the Inbound from Office 365 receive connector is reset to only include the EOP IP ranges.