I'm trying to understand the malware scanning capability of MCAS.  Other CASB solutions transfer documents and data from SharePoint and Onedrive to their datacenter for malware detection and analysis. Is this also true for MCAS malware detection?

From my understanding the check is done on data at rest in O365 and in connected apps. is that also true for the sandboxing capabilities that was recently announced ? 

https://www.microsoft.com/security/blog/2019/03/14/evolution-microsoft-threat-protection-rsa-edition...