In bound Email triggers DLP Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-174481%22%20slang%3D%22en-US%22%3EIn%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174481%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20DLP%20policy%20to%20catch%20financial%20info%20from%20being%20emailed%20out%20by%20my%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%20we%20received%20an%20alert%20for%20an%20inbound%20email%20which%20had%20a%20routing%20number%20and%20account%20number%20for%20an%20invoice.%20The%20email%20was%20bounced%20back%20to%20the%20sender%20-%20and%20to%20me%20the%20security%20admin.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20to%20prevent%20DLP%20triggering%20inbound%3F%20The%20policy%20was%20setup%20in%20Security%20and%20Compliance%20Center%20not%20Exchange%20Admin.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178877%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178877%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20rules%20were%20created%20in%20the%20SCC%20-%20nothing%20has%20ever%20been%20done%20in%20Exchange.%3C%2FP%3E%0A%3CP%3EThe%20weird%20thing%20is%20that%20I%20have%20checked%20and%20there%20are%20other%20emails%20that%20were%20received%20to%20the%20accounts%20payable%20address%20which%20also%20contained%20information%20which%20should%20have%20triggered%20the%20same%20rule%20but%20did%20not.%20It%20appears%20to%20have%20been%20from%202%20email%20senders%20that%20the%20issue%20occurred.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20there%20a%20way%20to%20prevent%20DLP%20from%20inbound%20external%20email%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175964%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175964%22%20slang%3D%22en-US%22%3EI%20don't%20mind%20it.%20It%20helps%20keep%20track%20of%20incoming%20CC%20info%2C%20and%20can%20help%20identify%20business%20process%20gaps%2C%20to%20give%20customers%20a%20secure%20payment%20process%2C%20compared%20to%20sending%20sensitive%20information%20in%20non-encrypted%20emails.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175961%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175961%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20can%20reliably%20reproduce%20it%2C%20open%20a%20support%20case.%20It%20does%20not%20work%20for%20me%20via%20SCC%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175952%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175952%22%20slang%3D%22en-US%22%3E%3CP%3EOK%20so%20its%20not%20just%20me%20-%20sounds%20like%20you%20have%20the%20same%20thing.%3C%2FP%3E%0A%3CP%3EIs%20that%20behavior%20you%20want%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175947%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175947%22%20slang%3D%22en-US%22%3EI've%20got%20a%20DLP%20rule%20in%20SCC%20that%20is%20set%20to%20detect%20%22Any%20volume%20of%20content%20detected%20U.S.%20Financial%20CC%20only%22..%20and%20this%20setting%20catches%20external%20emails%20coming%20in%20that%20contains%20CC%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-175923%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-175923%22%20slang%3D%22en-US%22%3E%3CP%3EHmm%2C%20i'll%20take%20a%20look%20at%20at%20the%20Exchange%20admin%20-%20but%20I%20dont%20believe%20I%20have%20ever%20configured%20anything%20there%20-%20it%20was%20all%20done%20from%20Sec%20%26amp%3B%20Comp%20center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174705%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174705%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20almost%20100%25%20sure%20that's%20not%20caused%20by%20the%20Unified%20DLP%20-%20I%20just%20did%20a%20test%20to%20confirm.%20Outbound%20was%20captured%2C%20inbound%20arrived%20with%20no%20detections.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174698%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174698%22%20slang%3D%22en-US%22%3E%3CP%3E1.%20Do%20you%20have%20transport%20rules%20configured%20with%20DLP%3F%3C%2FP%3E%0A%3CP%3E2.%20The%20SCC%20(Office%20365)%20DLP%20rules%20are%20expanding%20their%20coverage%20of%20email%20operations%2C%20so%20it%20is%20possible%20that%20they%20might%20have%20caught%20this%20too.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EImpossible%20to%20say%20what%20happened%20without%20looking%20at%20the%20rules.%20Can%20you%20share%20the%20logic%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174686%22%20slang%3D%22en-US%22%3ERe%3A%20In%20bound%20Email%20triggers%20DLP%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174686%22%20slang%3D%22en-US%22%3E%3CP%3EDLP%20does%20not%20trigger%20inbound%2C%20and%20there%20are%20no%20such%20options%20to%20configure.%20If%20you%20previously%20had%20DLP%20rules%20configured%20in%20the%20Exchange%20Admin%20Center%2C%20it's%20possible%20that%20some%20of%20the%20corresponding%20Transport%20rules%20are%20misconfigured%20to%20fire%20on%20both%20outgoing%2Fincoming%20messages%2C%20so%20check%20for%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3Bmight%20have%20some%20additional%20insights%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have a DLP policy to catch financial info from being emailed out by my users.

 

However we received an alert for an inbound email which had a routing number and account number for an invoice. The email was bounced back to the sender - and to me the security admin.

 

Is there a way to prevent DLP triggering inbound? The policy was setup in Security and Compliance Center not Exchange Admin.

10 Replies

DLP does not trigger inbound, and there are no such options to configure. If you previously had DLP rules configured in the Exchange Admin Center, it's possible that some of the corresponding Transport rules are misconfigured to fire on both outgoing/incoming messages, so check for that.

 

@Tony Redmond might have some additional insights here.

1. Do you have transport rules configured with DLP?

2. The SCC (Office 365) DLP rules are expanding their coverage of email operations, so it is possible that they might have caught this too.

 

Impossible to say what happened without looking at the rules. Can you share the logic?

I'm almost 100% sure that's not caused by the Unified DLP - I just did a test to confirm. Outbound was captured, inbound arrived with no detections.

Hmm, i'll take a look at at the Exchange admin - but I dont believe I have ever configured anything there - it was all done from Sec & Comp center.

 

I've got a DLP rule in SCC that is set to detect "Any volume of content detected U.S. Financial CC only".. and this setting catches external emails coming in that contains CC data.

OK so its not just me - sounds like you have the same thing.

Is that behavior you want?

If you can reliably reproduce it, open a support case. It does not work for me via SCC rules.

I don't mind it. It helps keep track of incoming CC info, and can help identify business process gaps, to give customers a secure payment process, compared to sending sensitive information in non-encrypted emails.

The rules were created in the SCC - nothing has ever been done in Exchange.

The weird thing is that I have checked and there are other emails that were received to the accounts payable address which also contained information which should have triggered the same rule but did not. It appears to have been from 2 email senders that the issue occurred. 

 

Is there a way to prevent DLP from inbound external email?

We have the same issue: a DLP policy configured through the Compliance Center, no DLP policies configured in Exchange Admin Center, and both inbound and outbound emails trigger the policy. (External sender also gets a copy of the policy tip email.)

Can't find anything about this in the documentation, and per Vasil it's not expected behavior. Does anyone have a clue of what could be causing it?