We're using Sensitivity Labels to classify content in our organization. We'd like to have Exchange automatically block the sharing of content with certain labels, except if the recipient's domain is in a list of approved domains.

We've set up a mail flow rule that addresses this properly when the label is applied directly to the email itself (i.e., a message header includes ... msip_labels ... MSIP_Label_xxx_Enabled=true). However, this rule is not triggered when only an attachment has the sensitivity label applied to it.

As I see it, we can either (a) set up parallel mail flow rules, one for email headers and one for attachments, or (b) ensure that an attachment's label gets applied to the email itself. Since (a) carries the additional burden of maintaining two parallel lists of authorized domains (one per rule), it seems that it would be preferable to have Outlook (or the AIP Client?) automatically apply an email attachment's label to the email itself. (Note that it could very well just be a default / suggested label with user override -- this is intended only to minimize the odds of careless disclosures, not stop a determined malicious insider.)

Our label policy has the "default email label" set to "same as document", but that's not resulting in emails being automatically classified with the attachment's label. The only documentation I could find on this topic referred to "auto-labeling policies", which don't work in our case since they don't support a condition like "an attachment has a sensitivity label of X" (they would work for something like "the email contains credit card numbers" or "an attachment cannot be scanned").

Is this type of automatic classification possible? If so, could anyone point me to instructions for setting it up? Thank you in advance.