The email was sent by an 3rd party to AAA@icloud.com but was found in the Gmail Inbox. I suspect the custodian had a rule configured on an iphone or Mac to automatically move messages received by AAA@icloud.com to the inbox of AAA@corp.com. I would appreciate any insights on how a personal email ended up in the corporate Gmail inbox in this scenario.
Since the iCloud mailbox and the Google Workspace mailbox are two separate mailboxes, I think such a rule would be a forwarding rule rather than a move. I believe there is a separate header for that, which would look as follows (I recommend testing to confirm):
X-Apple-Action: FORWARD/AAA@corp.com
My guess is that the headers you mentioned are related to Apple’s processing of that message within the iCloud mailbox rather than the message’s being transferred to an external mailbox (again, test to confirm).
A few possibilities that come to mind:
If the end-user had both the iCloud and the Google Workspace accounts configured in the same email client, they may have dragged the message from their iCloud mailbox to their Google Workspace mailbox—whether it be deliberately or by accident.
They may have uploaded the email to the Google Workspace mailbox by other means such as by using the IMAP APPEND command or Gmail API.
The email may have been sent to the Google Workspace mailbox to begin with. The delivery of the mail is controlled by the SMTP envelope, not by the to/cc/bcc headers in the MIME message.
A quick way to investigate #1 and #2 would be to perform IMAP UID / InternalDate analysis on the Google Workspace mail folder to determine if the message was delivered there contemporaneously or after the fact. You can use FEC to do this easily, and can find some inspiration regarding what to look for here: