Exchange Email DLP

Copper Contributor

Hello, 

 

I have created a DLP policy with one rule for Exchange Email for PII Data. 

 

Conditions
Content is shared from Microsoft 365 with people outside my organization
And
Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, U.S. Social Security Number (SSN)
And
Content contains any of these sensitive info types: U.S. / U.K. Passport Number, U.S. Driver's License Number, U.S. Physical Addresses
And
Content contains any of these sensitive info types: All Full Names
Actions
Send alerts to the Administrator

Since I've selected the Conditions Content shared from Microsoft 365 with people outside my organization, we used to get alerts within the same domain (username1[@]abc[.]com as sender and (username2[@]abc[.]com) as recipient domain).

Even though I had excluded and tested the recipient ID (username2[@]abc[.]com)and recipient domain(ABC[.]com), I still had no luck. 

Below is the Rule for exclusions, 

Conditions
Content is shared from Microsoft 365 with people outside my organization
And
Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, U.S. Social Security Number (SSN)
And
Content contains any of these sensitive info types: U.S. / U.K. Passport Number, U.S. Driver's License Number, U.S. Physical Addresses
And
Content contains any of these sensitive info types: All Full Names
And
NOT
Recipient domain is: ABC[.]com
Actions
Send alerts to the Administrator

 

Anything am I missing? 

Thanks in advance. 

2 Replies

@Odha20 

 

Would suggest to test the condition behavior one by one

I have tested initially. We haven't seen any internal recipient accounts triggered. Still, we are in the face of the development.
The main concern is why it is picking the internal account even though we use Conditions
"Content is shared from Microsoft 365 with people outside my organization".