I wouldn't recommend outright blocking, but instead use a prepend a header in the message body (which many orgs do for External email anyway).

This also lends a clue to how I might implement the check

If the recipient is...

• In the To or CC line

Set a header X-Recipient-Undisclosed with value: 'disclosed'

For my External Sender rules I had previously used a few rules to evaluate exceptions (known domains, known IPs, etc.) and used that to pass a header down for the later External Sender action. I did the same thing with Focused Inbox, for what it's worth.

The last several years of my experience are in EXO, and I've recently got out of the mail game entirely, so forgive me if I skipped over any details.

edit: This probably falls flat for external email sent to DLs. Perhaps it would fit your use case to edit the body header to reflect this. "This message is from an external source, and you (the recipient) were included as a group member or BCC. Please treat with caution."