Hi mon_raralio
The triggered policies put another spin on the situation, also raise a few questions.
- are the triggered content policies / dictionaries used custom or default ones ?
- do you have the client's permission to view the email and attachment ? (based on the entry above the mail and attachment was not reviewed)
- is the MS Word version used known ?
- is the quarantined mail (shown in the screen-shot) containing the same MS Word attachment (or there are various documents) ?
- are these emails from the same sender ?
Some testing could also eliminate possibilities:
- find out the MS Word version used in creating the attached files.
- create a 'clean' test word document and send it through the SBG, check the result in the Message Audit Logs
- narrow down the quarantined mail instances (if there are various)
If the information cannot be posted, I suggest providing sample emails to Symantec (via a support case) for testing.
Cheers