Forum Discussion

newlunga's avatar
newlunga
Copper Contributor
Jul 12, 2023

Block labeled file with sensitive information being send with email

I have enabled DLP polices to block a files sent by email when it contains credit card numbers. This works fine when the file is unencrypted. When I send a labeled file with the same credit card numbers then DLP does not block it and report that no sensitive data is detected.

What do I miss here?

  • newlunga 

     

    Thank you for posting your question here. Just to confirm, the scenario is this:

     

    • You have a DLP scoped to Exchange Online that blocks emails/files that contain credit card numbers from being shared outside of your organization
    • This policy does not look for sensitivity labels as a condition
    • This policy works if the file is not labeled
    • This policy does not work if it is labeled, even if it contains a credit card number

    Please let me know if any of the above are incorrect.

     

    With that being said, would you be willing to share some images of your DLP policy by chance? Feel free to share them in a direct message to me if you're not comfortable sharing them here.

     

    I have a similar policy and I have confirmed that the email gets blocked even if the file is labeled and that label forces encryption on the file.

     

    As you can see in the below image, my DLP policy is looking for a set list of sensitive info types and a set list of sensitivity labels (none of these labels were used to test your scenario).

     

     

     

    Now, I have a document that contains a small amount of credit card numbers (I know that Microsoft Purview accurately detects the CCNs in this document), which has the sensitivity label "Auth Users" applied to it, which as you can see in the policy, is not a label I am blocking through DLP.

     

     

    If I attach this document to an exchange email and attempt to send it externally, it will let me hit send, but I then receive a bounce back email informing me that the message was blocked during send after detecting the credit card numbers in the attachment.

     

     

    In the incident report email, I can see it was blocked based on the credit card numbers.

     

     

    So, as you can see, even if the file is encrypted, I should still be prevented from sending a file containing credit card numbers to external recipients due to my Exchange Online DLP policy so I'd love to review your policy and see if we can identify what the cause may be on this.

     

     

     

     

  • newlunga 

     

    Thank you for posting your question here. Just to confirm, the scenario is this:

     

    • You have a DLP scoped to Exchange Online that blocks emails/files that contain credit card numbers from being shared outside of your organization
    • This policy does not look for sensitivity labels as a condition
    • This policy works if the file is not labeled
    • This policy does not work if it is labeled, even if it contains a credit card number

    Please let me know if any of the above are incorrect.

     

    With that being said, would you be willing to share some images of your DLP policy by chance? Feel free to share them in a direct message to me if you're not comfortable sharing them here.

     

    I have a similar policy and I have confirmed that the email gets blocked even if the file is labeled and that label forces encryption on the file.

     

    As you can see in the below image, my DLP policy is looking for a set list of sensitive info types and a set list of sensitivity labels (none of these labels were used to test your scenario).

     

     

     

    Now, I have a document that contains a small amount of credit card numbers (I know that Microsoft Purview accurately detects the CCNs in this document), which has the sensitivity label "Auth Users" applied to it, which as you can see in the policy, is not a label I am blocking through DLP.

     

     

    If I attach this document to an exchange email and attempt to send it externally, it will let me hit send, but I then receive a bounce back email informing me that the message was blocked during send after detecting the credit card numbers in the attachment.

     

     

    In the incident report email, I can see it was blocked based on the credit card numbers.

     

     

    So, as you can see, even if the file is encrypted, I should still be prevented from sending a file containing credit card numbers to external recipients due to my Exchange Online DLP policy so I'd love to review your policy and see if we can identify what the cause may be on this.

     

     

     

     

    • newlunga's avatar
      newlunga
      Copper Contributor
      Hello miller34mike.
      Thank you for your comprehensive post. I figured out that I left out the "sensitivity labels" from the condition. I included this and the policy works fine. I appreciate your response.

Resources