Thank you for posting your question here. Just to confirm, the scenario is this:
- You have a DLP scoped to Exchange Online that blocks emails/files that contain credit card numbers from being shared outside of your organization
- This policy does not look for sensitivity labels as a condition
- This policy works if the file is not labeled
- This policy does not work if it is labeled, even if it contains a credit card number
Please let me know if any of the above are incorrect.
With that being said, would you be willing to share some images of your DLP policy by chance? Feel free to share them in a direct message to me if you're not comfortable sharing them here.
I have a similar policy and I have confirmed that the email gets blocked even if the file is labeled and that label forces encryption on the file.
As you can see in the below image, my DLP policy is looking for a set list of sensitive info types and a set list of sensitivity labels (none of these labels were used to test your scenario).
Now, I have a document that contains a small amount of credit card numbers (I know that Microsoft Purview accurately detects the CCNs in this document), which has the sensitivity label "Auth Users" applied to it, which as you can see in the policy, is not a label I am blocking through DLP.
If I attach this document to an exchange email and attempt to send it externally, it will let me hit send, but I then receive a bounce back email informing me that the message was blocked during send after detecting the credit card numbers in the attachment.
In the incident report email, I can see it was blocked based on the credit card numbers.
So, as you can see, even if the file is encrypted, I should still be prevented from sending a file containing credit card numbers to external recipients due to my Exchange Online DLP policy so I'd love to review your policy and see if we can identify what the cause may be on this.