Below is the matched DLP details:

Title: DLP Test
Document owner:
Person who last modified document:
Person sharing item: AlI Vex AllV@externaldomain.com
To: user@internaldomain.com
Cc: admin@internaldomain.com
Bcc:
Severity: High
False positive: No
Override: No

Condition matched: External recipients
Condition matched: Contains sensitive information

.

.

.

..

.

Detected: External recipients, user@unknowndomain.com

Issue

the detected external domain is not listed in either the to,cc,of bcc lines.

question

Is there a way to investigate what policy is adding an external recipient if there is any?

Could the external recipient be added and hidden by the sender? Is there a way to verify this?

Can a matched DLP policy mail flow be traced to view all policies\rules that the email matched during its transportation?

Any suggestion or thought is welcome.

FYI - Message tracing does not provide the details needed.

thanks