Forum Discussion

gencv's avatar
gencv
Copper Contributor
Aug 31, 2020
Solved

Block sending emails containing attached sensitive documents

Hi,

 

Is it possible to create an EXO mail flow rule to block sending to externals, emails that contain attached labeled documents?

Documents are labeled via sensitivity labels (i.e. strictly confidential). 

 

Thanks,

Genc

information protection and governance
microsoft information protection
  • ChristianBergstrom's avatar
    ChristianBergstrom
    Aug 31, 2020

    gencv Hello, you can configure it for attachments as well.

     

    "If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message."

     

    Look at this example for guidance https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules#example-2-rule-that-applies-the-encrypt-only-option-to-emails-when-they-have-attachments-that-are-labeled-confidential--partners-and-these-emails-are-sent-outside-the-organization

5 Replies

Sort By
  • Lassaad's avatar
    Lassaad
    MCT
    May 22, 2021
    You can use powershell to get blocked with a pop up notificiation when sensitive label is Highly Confidential for example :

    Set-ExecutionPolicy RemoteSigned
    $UserCredential = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session -DisableNameChecking

    (Get-LabelPolicy -Identity "Highly Confidential").settings
    # you can get the GUID of your Label
    Get-Label | Format-Table -Property DisplayName,Name, Guid -AutoSize
    # add your domain here or any other trusted domain that you went to allow
    Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockTrustedDomains="onmicrosoft.com"}
    #use the guid of you label in this command
    Set-LabelPolicy -Identity "Highly Confidential" -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="GUID of Your Label"}




  • ChristianBergstrom's avatar
    ChristianBergstrom
    Silver Contributor
    Aug 31, 2020

    gencv Yes, see this article https://office365itpros.com/2019/12/16/blocking-outbound-messages-stamped-office-365-sensitivity-label/

    • gencv's avatar
      gencv
      Copper Contributor
      Aug 31, 2020

      ChristianBergstrom thank you for the feedback. Actually the link describes the way how to block a labeled email, but not a labeled attachment.
      I need a mail flow rule that can be created based on the attachment label.

      Use case: I label an email as General and attach on it a document labeled as Secret.

       

      I'm trying via mail flow rule:

      1. Apply this rule if: the recipient is outside the organization

      and

      2. Any attachment: has these properties, including any of these words

      Property: Confidentiality --> Value: Secret

      3. Reject the message with the explanation: Secret document cannot be sent outside the company

      ...but so far it doesn't work.

       

      • ChristianBergstrom's avatar
        ChristianBergstrom
        Silver Contributor
        Aug 31, 2020

        gencv Hello, you can configure it for attachments as well.

         

        "If found, we know that this message (or one of its attachments) is protected with the label, so the rule can go ahead and block the message."

         

        Look at this example for guidance https://docs.microsoft.com/en-us/azure/information-protection/configure-exo-rules#example-2-rule-that-applies-the-encrypt-only-option-to-emails-when-they-have-attachments-that-are-labeled-confidential--partners-and-these-emails-are-sent-outside-the-organization

Resources