Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Block labeled file with sensitive information being send with email

Copper Contributor

I have enabled DLP polices to block a files sent by email when it contains credit card numbers. This works fine when the file is unencrypted. When I send a labeled file with the same credit card numbers then DLP does not block it and report that no sensitive data is detected.

What do I miss here?

2 Replies
best response confirmed by newlunga (Copper Contributor)
Solution

@newlunga 

 

Thank you for posting your question here. Just to confirm, the scenario is this:

 

  • You have a DLP scoped to Exchange Online that blocks emails/files that contain credit card numbers from being shared outside of your organization
  • This policy does not look for sensitivity labels as a condition
  • This policy works if the file is not labeled
  • This policy does not work if it is labeled, even if it contains a credit card number

Please let me know if any of the above are incorrect.

 

With that being said, would you be willing to share some images of your DLP policy by chance? Feel free to share them in a direct message to me if you're not comfortable sharing them here.

 

I have a similar policy and I have confirmed that the email gets blocked even if the file is labeled and that label forces encryption on the file.

 

As you can see in the below image, my DLP policy is looking for a set list of sensitive info types and a set list of sensitivity labels (none of these labels were used to test your scenario).

 

miller34mike_0-1689352172816.png

 

 

Now, I have a document that contains a small amount of credit card numbers (I know that Microsoft Purview accurately detects the CCNs in this document), which has the sensitivity label "Auth Users" applied to it, which as you can see in the policy, is not a label I am blocking through DLP.

 

miller34mike_1-1689352310888.png

 

If I attach this document to an exchange email and attempt to send it externally, it will let me hit send, but I then receive a bounce back email informing me that the message was blocked during send after detecting the credit card numbers in the attachment.

 

miller34mike_2-1689352499016.png

 

In the incident report email, I can see it was blocked based on the credit card numbers.

 

miller34mike_3-1689352637853.png

 

So, as you can see, even if the file is encrypted, I should still be prevented from sending a file containing credit card numbers to external recipients due to my Exchange Online DLP policy so I'd love to review your policy and see if we can identify what the cause may be on this.

 

 

 

 

Hello @miller34mike.
Thank you for your comprehensive post. I figured out that I left out the "sensitivity labels" from the condition. I included this and the policy works fine. I appreciate your response.
1 best response

Accepted Solutions
best response confirmed by newlunga (Copper Contributor)
Solution

@newlunga 

 

Thank you for posting your question here. Just to confirm, the scenario is this:

 

  • You have a DLP scoped to Exchange Online that blocks emails/files that contain credit card numbers from being shared outside of your organization
  • This policy does not look for sensitivity labels as a condition
  • This policy works if the file is not labeled
  • This policy does not work if it is labeled, even if it contains a credit card number

Please let me know if any of the above are incorrect.

 

With that being said, would you be willing to share some images of your DLP policy by chance? Feel free to share them in a direct message to me if you're not comfortable sharing them here.

 

I have a similar policy and I have confirmed that the email gets blocked even if the file is labeled and that label forces encryption on the file.

 

As you can see in the below image, my DLP policy is looking for a set list of sensitive info types and a set list of sensitivity labels (none of these labels were used to test your scenario).

 

miller34mike_0-1689352172816.png

 

 

Now, I have a document that contains a small amount of credit card numbers (I know that Microsoft Purview accurately detects the CCNs in this document), which has the sensitivity label "Auth Users" applied to it, which as you can see in the policy, is not a label I am blocking through DLP.

 

miller34mike_1-1689352310888.png

 

If I attach this document to an exchange email and attempt to send it externally, it will let me hit send, but I then receive a bounce back email informing me that the message was blocked during send after detecting the credit card numbers in the attachment.

 

miller34mike_2-1689352499016.png

 

In the incident report email, I can see it was blocked based on the credit card numbers.

 

miller34mike_3-1689352637853.png

 

So, as you can see, even if the file is encrypted, I should still be prevented from sending a file containing credit card numbers to external recipients due to my Exchange Online DLP policy so I'd love to review your policy and see if we can identify what the cause may be on this.

 

 

 

 

View solution in original post