<<ZAP Action - Does the ZAP action use the reporting account for accessing the email?
I checked the MS Doc about ZAP and there doesn't seem to be any clear instructions on this. So there seems to be no evidence. Personally, I don't think it uses the reporting user's account, based on the Doc description it seems to just scan and monitor emails and move them to junk or delete.
If you received a secondary alert, perhaps someone clicked on the link after reporting the email as phishing.
Could you provide a screenshot of the alert?
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.