O365 Securlet Policy doesn't trigger for a Policy that specifies a recipient in addition to Public Exposure

This was tested from an anonymous browser as well as from a browser session where the recipient was logged in to O365 and accessed/downloaded the file via the shared link.

To meet the criteria of Public Exposure, the individual sharing the file needs to specify 'Anyone with the link can edit'.

When this Share option is selected, CloudSOC does not evaluate the list of recipients. This means if a recipient is also specified in the Policy in addition to Exposure Type as Public, the recipient identity will be ignored and the Policy will not trigger.