SLV

Hi, 
Ad. Internal: messages are consider as internal if the SMTP connection is not marked as external by Exchange server, or when the email comes from the internal mailbox, or when is submitted via local pickup.
Ad. Outgoing: this is based on the email recipients categories. EMSX checks all recipients of the email to determine whether they are located in the same organization, in different organization, or are marked by Exchange as external.

Hi, when there is a limit on number of IP addresses from Received headers set by user, they are counted from the most recent (appears on top). Local IP addresses and addresses on Ignore list are skipped i.e. not counted towards the limit.
Note: besides Received headers, we also acquire the IP address of the connecting server from the SMTP session - this address is always checked against our cloud blacklists/whitelists, independent on whether it is part of Received headers or not. 

Appreciate what you're saying - my understanding is this exploit triggers the Outlook client to initiate an outbound SMB connection via the system process thereby exposing the NTLM hash.
ESET Mail Security is running in the inbound side of Exchange edge transport - before the exploit ever reaches the mailbox, and far before the Outlook client comes into play.