That behavior is both troubling and unusual. If you haven't contacted the support team that services your account, I highly encourage you to do so. A few things I would also look for are:
- In the header of the message, if a "Received from _____ by ____" hop is missing a line with a server and ESMTP ID that ends in mxlogic.net, the message bypassed the filter through direct connection.
- Verify the recipient user accounts in the Control Console were not set to exempt them from any level of filtering
- If you have access to Message Audit, check to see if this was released from quarantine by anyone. If you don't directly have this your support team can pull the neccisary details.
Above all though in a case like this contacting your support team is highly recommended so they can fully investigate the issue.
Let me know if you have any questions.
Thanks for the quick response. After speaking to support, it turns out that the malicious messages were spoofing the domain of a known business partner that had been added to the whitelist. We have now cleaned out our policy's whitelist and hopefully that should take care of it.
We were not aware that a domain's entry on the whitelist exempted it from scanning. A warning on that page would be helpful. Thanks!