Forum Discussion
Defender email audit - sensitive info in subject line
We are doing security auditing of emails. I'm familiar with the Defender portal, not too in-depth though (have not had time to play around) and not so with Sentinel or KQL yet. In the course of my audits, I have been finding people may encrypt emails but still have sensitive information in the subject line. Common understanding that internal emails would not leave the org so encryption is not mandatory (though I have disagreement on that). So auditing emails going external. In M365 Defender >> Email & Collaboration >> Explorer section, I did a search:
keyword: "SSN"
sender domain: equals my org
recipient domain: equals non of my org
What are some sensitive information keywords or phrases in the subject line searches in M365 Defender (security.microsoft.com)?
So far I have compiled this list to (sucks M365 Defender does not allow searching with wildcards or patterns):
- SSN
- social security
- TIN
- DOB
- account
- acct
- passport
- license
- DL
The Better Way: Moving from Manual Audits to Automated Policy
Manually searching in Explorer is good for spot-checks and incident response, but it's not a sustainable prevention strategy. The real solution is to use Microsoft Purview Data Loss Prevention (DLP).
A DLP policy can automatically detect this content before it leaves your organization and take action, such as blocking the email, forcing encryption, or notifying an administrator.
Here’s how you can set up a policy specifically for this scenario:
- Go to the Microsoft Purview compliance portal (compliance.microsoft.com).
- Navigate to Data loss prevention > Policies > + Create policy.
- Start with a Custom policy.
- Define Policy Scope: Assign it to apply to Exchange email. You can choose to include all senders or specific groups.
- Create a Rule:
- Conditions: The rule should trigger when Content contains any of the sensitive info types you care about (Purview has built-in classifiers for these, which are far more accurate than keywords).
- AND Recipient is outside my organization.
- Add an Exception: This is the key part. Add an exception for Subject line or header doesn't match patterns.
- In the pattern matching field, you can list your keywords. Better yet, you can use Sensitive Information Types (SITs). Purview has built-in SITs for things like "U.S. Social Security Number" or "Credit Card Number". These use complex patterns (regex) and checksums to be highly accurate.
- Create a second, more important rule for the subject line itself:
- Conditions: Subject line contains any of these words or phrases. Here, you can paste your keyword list.
- AND Recipient is outside my organization.
- Actions for the Subject Line Rule:
- Block the email: This is the most secure option.
- Notify the user: Display a policy tip to the sender before they send the email, explaining that sensitive data is not allowed in the subject line and that they need to remove it. This is fantastic for user education.
- Generate an incident report: This allows you to track violations and follow up.
1 Reply
The Better Way: Moving from Manual Audits to Automated Policy
Manually searching in Explorer is good for spot-checks and incident response, but it's not a sustainable prevention strategy. The real solution is to use Microsoft Purview Data Loss Prevention (DLP).
A DLP policy can automatically detect this content before it leaves your organization and take action, such as blocking the email, forcing encryption, or notifying an administrator.
Here’s how you can set up a policy specifically for this scenario:
- Go to the Microsoft Purview compliance portal (compliance.microsoft.com).
- Navigate to Data loss prevention > Policies > + Create policy.
- Start with a Custom policy.
- Define Policy Scope: Assign it to apply to Exchange email. You can choose to include all senders or specific groups.
- Create a Rule:
- Conditions: The rule should trigger when Content contains any of the sensitive info types you care about (Purview has built-in classifiers for these, which are far more accurate than keywords).
- AND Recipient is outside my organization.
- Add an Exception: This is the key part. Add an exception for Subject line or header doesn't match patterns.
- In the pattern matching field, you can list your keywords. Better yet, you can use Sensitive Information Types (SITs). Purview has built-in SITs for things like "U.S. Social Security Number" or "Credit Card Number". These use complex patterns (regex) and checksums to be highly accurate.
- Create a second, more important rule for the subject line itself:
- Conditions: Subject line contains any of these words or phrases. Here, you can paste your keyword list.
- AND Recipient is outside my organization.
- Actions for the Subject Line Rule:
- Block the email: This is the most secure option.
- Notify the user: Display a policy tip to the sender before they send the email, explaining that sensitive data is not allowed in the subject line and that they need to remove it. This is fantastic for user education.
- Generate an incident report: This allows you to track violations and follow up.