Not OP but I've also seen this. I think some of the servers in question were "outlook-protection" in their domain names. Some kind of managed service middleware in the stack to do additional scanning.