Spam/Spoofed email received differently by 3 users

Hello experts... 

today, I had a user reported a spoofed email - the email looked like it was sent from an CEO (his full name, the email address was however completely different and was a gmail.com address not our domain). The user received this email to his inbox directly.... and did not realize it was a spam/phish email at the first sight.

So.. I've started to have a look why it was delivered to the inbox as I would expect that email would be either in Junk or Quarantined. I've found out that two other users received the same email address just few seconds after the 1st one was delivered, however, for those two users it was actioned as "FilteredAsSpam" when I checked Mail Flow -> Message trace.   ..So it was identified as a SPAM this time and was delivered to JUNK folder.... good here then.

I've checked also the header of the one that was delivered to inbox and comparing to the one in Junk... and I saw that for the first one, the SCL = 1... and for the other 2 users, the SCL=5.

Also, when I check Defender -> Explorer, I see that:

• for the 1st recipient:

  Latest Threats

  None

  Latest delivery location

  Inbox folder

  Detection technology

  -

  Delivery action

  Delivered

   
• for the other 2 recipients:

  Latest Threats

  Phish / Normal

  Latest delivery location

  Junk Email folder

  Detection technology

  Mailbox intelligence impersonation

  Delivery action

  Delivered to junk

Now, my question would be - why the 1st email was delivered to Inbox and the same email sent to two other users (just few seconds later) was then delivered to Junk (as I would expect also for the 1st user) . Why for the 1st recipient the SCL was 1 and for other two few seconds later SCL was 5 if it is the same email same sender.

Btw, I have added CEOs to "impersonated" user list so it hopefully helps next time?