If you have enabled ESS Synapse integration with Email Security.Cloud., then SEDR Appliance will generate Incidents based off 4125 events.
Conversion of UTF-8 multi-byte characters caused a parse error from ESS retrieved data format into event json format. If a 4125 event comes in with fields missing, the existing logic mistook that as a trigger.
This issue is resolved in SEDR 4.7.