Forum Discussion
Burak_MERCAN
Dec 26, 2022Copper Contributor
Attachment Count for Exchange Online Traffic
Hello everyone, I'm managing a project on my customer, and they wish to block their users when an email sending inside-to-inside, outside-to-inside, inside-to-outside and if email contains 20 or m...
VasilMichev
Dec 26, 2022MVP
There's nothing built-in in M365 to address this scenario.
- Burak_MERCANDec 26, 2022Copper ContributorThank you for answer!
Do you know, any work-around here ?- VasilMichevDec 27, 2022MVPPerhaps some Outlook add-in can do it. Using custom transport agents is not possible in Exchange Online, so outside of client-side solution, the only thing that comes to mind is redirecting the mail flow to external system that can satisfy this criteria.
- RobYoungJan 03, 2023Iron ContributorAll I can think of is if you use Sentinel and create an alert with a playbook to block the user when the attachment count exceeds 20. For example, the query will list all the records of users who sent attachments with a count of 20 or higher:
OfficeActivity
| where RecordType contains "exchange"
| where Operation contains "send"
| extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId)
| join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId
| extend Attachments_ = tostring(parse_json(Item).Attachments)
|where AttachmentCount >= 20
(sorry, query is not polished but it gets the job done)