@burnout426 - Been busy offline. Just want to thank you and others for troubleshooting this sucker.
I don't know if this is related in any way, but years ago I used to send out emails to clients. It was getting blocked, so I had to convert the pdf file attachment to a simple text file.
Two years later, another one of my information files was getting blocked by clients with gmail accts. I created a gmail account and tested enough to determine gmail was content screening.
So I stripped off all file attachments. it was still being blocked! So I then started deleting sentences in the body of the email message, starting with suspect things like links. Then I searched for names and any inflammatory comments.
After 5 hours, I traced the string of text that gmail was rejecting. It was just a few innocuous words from a sentence. i can't remember the words, but I was shocked. The words were completely innocuous and ordinary. It contained now names of people or things. nothing.
I've learned a lot since then. Lots of reasons why ESPs would black list or gray list an ip address. But also, as the story reflects, how fickle and erratic that content screening can be.
So can it be possible that whatever is was that was triggering Defender alerts was something we wouldn't even consider suspect. Unless MS announces what it was, we may never know. Does that make sense?