Could be true type attachements or wmz:
True-type detection is when a file type that is in your common attachment filtering list triggers a detection even if the file type in the message is different. Common examples are .wmf pictures filtered as .wmz file types (.wmz are compressed versions of .wmf files). So, if your organization needs to receive .wmz file types, remove .wmf from the common attachment filter in your anti-malware policies.
This article may be helpful to track it down: