Interesting...
had a malware get through to a user - not that uncommon passed 2-3 levels of filtering starting with ESS.
email spoof
ESS detects sender envelope correctly not from listed sender exactly..
multiple sender address' listed and hidden actual sender in name - probably a red flag but passes
Email is sent through - user flags - notifies me that it looked odd opened attachment but didn't disable protected mode as instructed by the attachment.
I checked and verified word docx was most likely malware -
went to check headers in message log of ESS and found they had modified info saying they had detected a virus - Retroactively and flagged the attachment and removed the content and scores from the headers....
Well that is all good and great.... However they had already sent the message through with the malware and never notified they had...