https://www.microsoft.com/en-us/wdsi/filesubmission
This may be outdated, but you can also configure Defender to always prompt before sending:
https://docs.microsoft.com/en-us/windows/security/threat-pro...
It would be interesting to set it to always prompt and see what triggers it. There must be some level of fingerprinting done on the client (hash of the binary? network activity, etc.) that can be used to compare against known threats.