Included Addresses capture more events than expected.

Document ID : KB000123116
Last Modified Date : 18/12/2018
Show Technical Document Details

All triggers in the user policy can use lists of included, excluded, or ignored items. You specify which list is checked for matching items. Examples include lists of matching URLs, file names, email addresses, search text, and so on.

Included lists
Included items are forbidden items. If a trigger uses an Included list, any single item in the list can activate the trigger. If a trigger fails to detect any items in the Included list, the trigger does not activate. For example, if a Web page capture trigger uses an Included URL list, any URL on this list triggers a capture when the user browses to it.
Included Addresses lists also affect data lookup commands that use %sender%, %recipient%, %senderalias% or %recipientalias% variables. If a trigger uses an Included list, these data lookup commands only evaluate included email addresses.
Why are more mail items than expected included in the policy scope where "Included Addresses" are employed?
CA Data Protection 14.x/15.x
The "Included Addresses" filter, can include literally anything and is executed with leading and trailing wildcards. See the examples below:

Example 1: 
If you added "" to the Included Addresses list, this would pickup any address parsed that included that domain 

Example 2:
if you were to use simply "hotmail

It would pickup