Detects instances where Microsoft Defender for Office 365 identifies an email as malicious or suspicious via Threat Intelligence (ThreatIntelligence) and TIMailData inbound data, but the message ends up delivered to a user’s Inbox or Junk folder. This implies the email bypassed initial blocking controls and reached the end-user, potentially indicating spearphishing attachments or links that evaded protection. The rule is labeled experimental and leverages the M365 audit log for inbound mail data to flag potential workflow gaps requiring investigation and remediation.