You have a hybrid deployment of on-premises Exchange Server and Exchange Online.
You configured the outbound send connector in Exchange Online to use a remote domain of " * " and enabled centralized mail transport on that connector.
A user or application in the on-premises organization sends an email message to a mailbox that's hosted in Exchange Online. For example, email@example.com. And, the Exchange Online recipient, firstname.lastname@example.org, has a forwarding SMTP address that's set to an external recipient (email@example.com).
In this scenario, the message tracking logs show that the message that was forwarded to firstname.lastname@example.org isn't routed back through the on-premises organization, as expected. Instead, the message is sent directly through Exchange Online Protection.
This behavior is by design. To forward the message, an exact copy of the original message is created and sent to the external recipient. Mail routing logic sees that this new message had originated in the on-premises environment and therefore doesn't send it back to the on-premises environment. Instead, it's routed directly to the external recipient domain through Exchange Online Protection.
Microsoft Exchange Online, Microsoft Exchange Online Protection, Exchange Server 2016 Enterprise Edition, Exchange Server 2016 Standard Edition, Microsoft Exchange Server 2013 Enterprise, Microsoft Exchange Server 2013 Standard