It would most likely be your organization's LAN. It's unlikely to be at the ISP level. Umbrella is working as intended with the certificate you're seeing. For some reason, it has decided that the traffic to your site is suspicious and needs to be looked at in detail, and that's done by intercepting the traffic with a custom root.
Pretty much, though it's not so much misbehaving and more like whoever is responsible for Umbrella in your organization forgot to ask you to install their root certificate.