Your organization uses Microsoft 365 E5. You need to implement a solution that notifies the IT team when a user receives an email containing potential malware, while adhering to the principle of least privilege. Which combination of policy type and role should you use?