DLP - Unknown External Recipient

%3CLINGO-SUB%20id%3D%22lingo-sub-1401309%22%20slang%3D%22en-US%22%3EDLP%20-%20Unknown%20External%20Recipient%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401309%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBelow%20is%20the%20matched%20DLP%20details%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETitle%3A%20DLP%20Test%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDocument%20owner%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EPerson%20who%20last%20modified%20document%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EPerson%20sharing%20item%3A%20AlI%20Vex%20AllV%40externaldomain.com%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ETo%3A%20user%40internaldomain.com%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ECc%3A%20admin%40internaldomain.com%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EBcc%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESeverity%3A%20High%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EFalse%20positive%3A%20No%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EOverride%3A%20No%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ECondition%20matched%3A%20External%20recipients%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ECondition%20matched%3A%20Contains%20sensitive%20information%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E..%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EDetected%3A%20External%20recipients%2C%20%3CA%20href%3D%22mailto%3Auser%40unknowndomain.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser%40unknowndomain.com%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIssue%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3Ethe%20detected%20external%20domain%20is%20not%20listed%20in%20either%20the%20to%2Ccc%2Cof%20bcc%20lines.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Equestion%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIs%20there%20a%20way%20to%20investigate%20what%20policy%20is%20adding%20an%20external%20recipient%20if%20there%20is%20any%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECould%20the%20external%20recipient%20be%20added%20and%20hidden%20by%20the%20sender%3F%20Is%20there%20a%20way%20to%20verify%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECan%20a%20matched%20DLP%20policy%20mail%20flow%20be%20traced%20to%20view%20all%20policies%5Crules%20that%20the%20email%20matched%20during%20its%20transportation%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAny%20suggestion%20or%20thought%20is%20welcome.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EFYI%20-%20Message%20tracing%20does%20not%20provide%20the%20details%20needed.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3Ethanks%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Below is the matched DLP details:

Title: DLP Test
Document owner:
Person who last modified document:
Person sharing item: AlI Vex AllV@externaldomain.com
To: user@internaldomain.com
Cc: admin@internaldomain.com
Bcc:
Severity: High
False positive: No
Override: No

Condition matched: External recipients
Condition matched: Contains sensitive information

.

.

.

..

.

Detected: External recipients, user@unknowndomain.com

 

 

Issue

the detected external domain is not listed in either the to,cc,of bcc lines.

 

question

Is there a way to investigate what policy is adding an external recipient if there is any?

Could the external recipient be added and hidden by the sender? Is there a way to verify this?

Can a matched DLP policy mail flow be traced to view all policies\rules that the email matched during its transportation?

Any suggestion or thought is welcome.

 

 

FYI - Message tracing does not provide the details needed.

 

thanks

0 Replies