Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Is there a way to only alert on emails sent externally?

Copper Contributor

Currently, the DLP policies are configured to detect content when shared with people outside of the organization. However, we are seeing internal to internal email communications. How do we fix this? Thank you.

3 Replies

@skwahaes1122 

 

Check the DLP policies settings. In the Advance DLP rule, check if both options for "Content is shared from Microsoft 365" is selected

It is likely that these 2 are both selected and using the OR operator.

 

vicwingsing_1-1709070809981.png

The fix is you delete the condition for 'Only with people inside my organisation'

@vicwingsing 
Hi Victor thank you for the reply! I am re-checking all of our policies and can confirm that none of them contain the OR statement you mentioned below. The email sender is an auto reply inbox, wonder if it could be detecting it as an external account? But still doesn't make sense to me why it would?

Here is an example of one:

kburx1122_1-1709072382734.png

And here is the example alert found within Activity Explorer:

 
 

 

 

 

 

 

 

 

 

 

 

@skwahaes1122 

 

I'd check the following:

 

1. Open up the Email headers of the auto reply email. Check if it has the same details (origin, smtp servers) as the regular user generated mail

2. Create an a group within the policy then specifically exclude the auto reply emails