Forum Discussion

IanG562's avatar
IanG562
Brass Contributor
Nov 01, 2024
Solved

Inbound Sensitive Information

Hello All, We currently have some DLP policies to restrict Financial Data, HIPPA, and PII data from leaving our org.   However, is there a way to restrict this type of sensitive data from being se...
data loss prevention
exchange online
  • IanG562's avatar
    IanG562
    Nov 22, 2024

    Thanks for the reply.  From my testing this rule I created seems to do the trick.

    New DLP Policy

    Locations: set to all Exchange email.

    Advanced DLP Rule:

    Recipient Match
    Conditions
    Recipient is: <email of shared mailbox>
    And
    Content contains any of these sensitive info types: U.S. Social Security Number (SSN), Drug Enforcement Agency (DEA) Number, International Classification of Diseases (ICD-10-CM), International Classification of Diseases (ICD-9-CM)
    And
    Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, ABA Routing Number
    And
    Content contains any of these sensitive info types: U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN), U.S. / U.K. Passport Number
    Evaluate predicate for Message or attachment

    Actions
    Notify users with email (customize email body)
    Restrict access to the content

    Under the  User notifications section I have a custom message stating the message was found to have sensitive information and was not delivered.

    So far when sending and email containing the above sensitive info from an external account the message does appear to be getting blocked.  It does take awhile for the email notification to be delivered but it eventually comes through.

    Do you see any issues with this rule?

AakashMalhotra's avatar
AakashMalhotra
Icon for Microsoft rankMicrosoft
Nov 22, 2024

DLP does scan incoming email as well. You can use the condition "Content is received from"

Note that you should not select any user or group in policy scope, as that limits to internal senders.

IanG562's avatar
IanG562
Brass Contributor
Nov 22, 2024

Thanks for the reply.  From my testing this rule I created seems to do the trick.

New DLP Policy

Locations: set to all Exchange email.

Advanced DLP Rule:

Recipient Match
Conditions
Recipient is: <email of shared mailbox>
And
Content contains any of these sensitive info types: U.S. Social Security Number (SSN), Drug Enforcement Agency (DEA) Number, International Classification of Diseases (ICD-10-CM), International Classification of Diseases (ICD-9-CM)
And
Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, ABA Routing Number
And
Content contains any of these sensitive info types: U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN), U.S. / U.K. Passport Number
Evaluate predicate for Message or attachment

Actions
Notify users with email (customize email body)
Restrict access to the content

Under the  User notifications section I have a custom message stating the message was found to have sensitive information and was not delivered.

So far when sending and email containing the above sensitive info from an external account the message does appear to be getting blocked.  It does take awhile for the email notification to be delivered but it eventually comes through.

Do you see any issues with this rule?

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor
    Feb 15, 2025

    I am curious, why did you include the SSN SIT multiple times?

Resources