Forum Discussion

EASchmitt's avatar
EASchmitt
Copper Contributor
Apr 15, 2019

Exclude messages from being scanned by DLP policies

I am utilizing the EAC mail flow rule setup by Microsoft to allow users to encrypt messages by typing encrypt into the subject line of their email when sending out emails with sensitive information. Since not all users will remember this, I have enabled DLP policies to help catch these emails and encrypt them when needed.

 

The problem is, these policies don't interact with each other like I thought they would. Even if an email is encrypted, it's still being scanned and flagged by DLP policies. As far as I can tell my only option is to turn on the DLP policies and set the action to "encrypt" anytime the information it's monitoring for is found. Whether the email is already encrypted or not.

 

Is there anyway to omit emails that have already been encrypted by the end user from being scanned by the DLP policies? Or for the DLP policies to detect that it has been encrypted and just let the email send through without reporting those instances?

 

It seems like the Encryption rule Microsoft enabled for users to encrypt their own emails is completely pointless if DLP is being utilized. End user training isn't even needed to teach them how to encrypt their own emails, but instead just enable DLP and have it encrypt everything that is being sent out with sensitive information.

 

Similar to what this user is commenting on: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/18628825-allow-dlp-rule-exception-for-encrypted-outbounds

  • use PermissionControlled instead of Encrypted.
    Encrypted: Encrypted messages.
    PermissionControlled: Messages that have specific permissions configured.
    PermissionControlled :It is usually the emails that have been controlled by information security management services, such as the previous Active Directory Rights Management Service (RMS) and Azure Information Protection (AIP) service.
  • dgs6466's avatar
    dgs6466
    Copper Contributor

    EASchmitt

     

    I figured this out.  You have to add another rule, in position 0, that explicitly does NOTHING to an encrypted email.  The Except Message Type Encrypted does not work. You have to create an additional rule. 

     

    • Tallen816's avatar
      Tallen816
      Copper Contributor
      Still having this issue in 2023. Following up on where the rule needs to be added like Robin_Poulose mentioned. Please and thank you!
      • DHerberts's avatar
        DHerberts
        Copper Contributor
        Same, I followed the suggestions the best I can from the post but I'm still not having any luck. Thanks
    • Office365Buddy's avatar
      Office365Buddy
      Brass Contributor

      dgs6466 

       

      Hi! where did you create the rule in Complaince or Exchange.  Please provide more info on condition and action applied so that we can try,

  • Jbroxterman's avatar
    Jbroxterman
    Copper Contributor

    I am looking into this as well. Super helpful to have a DLP send a notification to the user stating "We have detected information in the message that contains PII, and BLOCK it the first time, please send as an encrypted message and continue to block it until encryption is applied

     

      I know the safe guards of just encrypting random messages to get around the DLP. 

Resources