I'm in a situation where one of our software sends emails with links to approve certain types of requests (you get a link to approve and a link to refuse).
If these email notifications are sent through a connector (typically our on-prem exchange server) in our 365 exchange server on our tenant then all is well. If instead they are sent through a software I have running that accepts incoming SMTP requests and sends the email through the graph APIs after about 30/40 minutes of having received the email something scans\opens the email links thus approving the requests without the users knowledge.
Any ideas of what is scanning the notifications only when they are sent through graph? And for some reason 30/40 minutes after delivery?
We are also running defender on the client machines.