An internal domain is a domain owned or controlled by your organization. According to Advanced Threat Protection policy configurations, Cloud App Security uses internal domains as global settings to:
Identify email traffic transmitting through your internal domains from incoming email messages.
Exclude them from Web Reputation scanning if they are added to the approved URL list.
Further check email messages claimed to be sent from these domains, apply fraud checking criteria to identify forged messages, and take actions on the BEC attacks.
For details about how to configure internal domains, see Internal Domains.