Security team monitoring WSS tenant logs and found some weird / suspicious log lines 
Tenant used WSS in "explicit proxy mode" only with 4 locations that obviously use public IPs.
However the log lines show user IP address entries from PRIVATE IP addresses, like 10.230.15.180 and many others out of the 10.230.0.0/16 range
Most users reported valid IP addresses but a small subset of logs had these private IP addresses
These IP addresses do not match any of our user IP addresses

Explicit mode

Also seen with SEP WTR access method and Proxy Forwarding (both also uses explicit mode) 

Policy evaluation bug caused user IP address to be rewritten to internal NATed IP addresses under certain criteria

Re-run reports. WSS update from July '21 addresses this. Any reports run before this time will occasionally show the 10.x.x.x/8 private IP addresses.