Attachment Count for Exchange Online Traffic

Copper Contributor

Hello everyone,

I'm managing a project on my customer, and they wish to block their users when an email sending inside-to-inside, outside-to-inside, inside-to-outside and if email contains 20 or more attachment or mode than 20 MB of size. 

20 MB size is easy to do, because, can be configured on default DLP policies. But, I'm not sure that to count attachment. Is there any way to do it with other services, like; Defender for Cloud App, Insider Risk Managemet, Exchange Online Transport Rules.

Thank you!

5 Replies
There's nothing built-in in M365 to address this scenario.
Thank you for answer!
Do you know, any work-around here ?
Perhaps some Outlook add-in can do it. Using custom transport agents is not possible in Exchange Online, so outside of client-side solution, the only thing that comes to mind is redirecting the mail flow to external system that can satisfy this criteria.
All I can think of is if you use Sentinel and create an alert with a playbook to block the user when the attachment count exceeds 20. For example, the query will list all the records of users who sent attachments with a count of 20 or higher:

| where RecordType contains "exchange"
| where Operation contains "send"
| extend InternetMessageId_ = tostring(parse_json(Item).InternetMessageId)
| join kind=innerunique EmailEvents on $left.InternetMessageId_ == $right.InternetMessageId
| extend Attachments_ = tostring(parse_json(Item).Attachments)
|where AttachmentCount >= 20

(sorry, query is not polished but it gets the job done)
Sentinel is not a part of the project yet. Thank you for the answer.
Just dicoverd insdier risk management data leak policy has "Sending email with attachments to recipients outside the organization" rule, also give you to set threshoulds. I coudn't get succeed to triggering policy with custome threshoulds but on default it's working and generatin alerts.