Forum Discussion
Is there a way to only alert on emails sent externally?
Currently, the DLP policies are configured to detect content when shared with people outside of the organization. However, we are seeing internal to internal email communications. How do we fix this? Thank you.
3 Replies
- vicwingsingIron Contributor
Check the DLP policies settings. In the Advance DLP rule, check if both options for "Content is shared from Microsoft 365" is selected
It is likely that these 2 are both selected and using the OR operator.
The fix is you delete the condition for 'Only with people inside my organisation'
- skwahaes1122Copper Contributor
vicwingsing
Hi Victor thank you for the reply! I am re-checking all of our policies and can confirm that none of them contain the OR statement you mentioned below. The email sender is an auto reply inbox, wonder if it could be detecting it as an external account? But still doesn't make sense to me why it would?Here is an example of one:
And here is the example alert found within Activity Explorer:
- vicwingsingIron Contributor
I'd check the following:
1. Open up the Email headers of the auto reply email. Check if it has the same details (origin, smtp servers) as the regular user generated mail
2. Create an a group within the policy then specifically exclude the auto reply emails