DLP not triggers when email that contain CC is from outside organization

Hello Community,

We’ve been dealing with an issue for the last 6 months, and even though we have opened a ticket to MS, and we are trying to also work in the background, I could appreciate the help and opinion of the community.

Context:
We want to create a DLP rule that it will identify and redirect for approval emails that contain credit card information to specific approvers and either reject or pass the email to recipient, when send to specific shared mailbox.

The setup at the moment:

Conditions

Content is received from ​ People outside my organization

And

Content contains any of these sensitive info types: Credit Card Number

Evaluate predicate for Message or attachment

Actions
Forward the message for approval to specific approvers

mailto:email address removed for privacy reasons

All the internal mailboxes  that are part of the test have M365 E5 licences
We generate CC numbers using random sources and send multiple time from different email providers (gmail,yahoo, proton etc)

The DLP does not catch those email, and are delivered normally to the recipient.
If we switch though to “Content is received from ​ People INSIDE my organization” the DLP triggers without issues

Has anyone had a similar use case?

Thank you all