We get a number of messages that are Deferred / Not Delivered as Suspicious etc whilst they are awaiting scanning from ATP (Scan First the Deliver)
We have saved searches to quickly identify suspicious messages. The issue being is that the Message Log will show these with two line actions....once whilst its pending a scan as Not Delivered, the second will show when its successfully delivered, so no longer classed as suspicious. This can be quite misleading when performing a check to see if anything has been incorrectly tagged, as searching for simply Suspicious emails doesn't show the later Delivered status.
Is there any way of searching for items that have been tagged as Suspicious but not later released when scanned?