The attachment list for Threat Defense scanning in Message Audit Logs (MAL) shows one or more entries for (none) with a SHA256 hash.
The attachement name (none) indicates that the scanned component is either an HTML message body or an embedded object. For example, if the sender pasted an unnamed image into an HTML-format message, the HTML body and the unnamed image appear in the Attachment Name column as two attachments named (none).
This is the expected behavior when Messaging Gateway Threat Defense scans unnamed attachment or file data content in messages.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe