Forum Discussion

Neill's avatar
Neill
Brass Contributor
Dec 05, 2025

Exchange SE Transport Rule Query

I'm trying to use a transport rule to send a notification to an audit mailbox with a note of the names of all attachments being sent externally with From, To, CC, BCC details.

It sort of works.

Rule

If message has an attachment that's larger than or equal to 0 bytes

Do the following

Set audit severity level to 'Not specified' and send the incident report to <audit mailbox>, include these message properties in the report: sender, recipients, subject, cc'd recipients, bcc'd recipients, severity, sender override information, matching rules, false positive reports, detected data classifications, matching content.

 

If I send a message to: 'email address removed for privacy reasons', cc: 'email address removed for privacy reasons', bcc:'email address removed for privacy reasons' with 2 attachments the report includes the following:

Sender: <sender>

Recipient: To & CC

Attachments: Only 1 attachment name 

 

i.e. Missing an attachment name and the BCC entry

Is this a bug or a feature?

I presume it is just flagging the first attachment greater than 0 bytes which is annoying but that wouldn't explain the missing BCC entry.

Exchange Server

1 Reply

  • rogerval's avatar
    rogerval
    MCT
    Dec 15, 2025

    This behavior is expected, not a bug.

    Transport rules do not expose BCC recipients because BCC is intentionally removed before the message enters the transport pipeline.
    By design, Exchange strips BCC headers to preserve privacy. Because of this, no transport rule or incident report will ever show BCC recipients.

    Regarding the attachment list:
    The incident report includes the first attachment that triggers the rule condition, not a full list of all attachments.
    If the rule uses a condition such as “Attachment size is greater than or equal to 0 bytes”, the engine simply flags the first attachment that matches and reports that one.

    So:

    • Missing BCC: expected by design.
    • Only one attachment name shown: expected behavior of Transport Rule Incident Reports.

    If you need full attachment logging, this cannot be done using transport rules; you would need an auditing or third-party DLP solution.

Resources