If you have the AMP license for ESA attachments will be checked, and if unknown/suspicious, they get uploaded to ThreatGrid (aka Secure Malware Analytics) to be opened/executed.
You can get a free "device management" login to ThreatGrid to see what's happening with the stuff you ESAs upload. Chase your AE and Security AE down about that.