Exclude messages from being scanned by DLP policies

%3CLINGO-SUB%20id%3D%22lingo-sub-454632%22%20slang%3D%22en-US%22%3EExclude%20messages%20from%20being%20scanned%20by%20DLP%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-454632%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20utilizing%20the%20EAC%20mail%20flow%20rule%20setup%20by%20Microsoft%20to%20allow%20users%20to%20encrypt%20messages%20by%20typing%20encrypt%20into%20the%20subject%20line%20of%20their%20email%20when%20sending%20out%20emails%20with%20sensitive%20information.%20Since%20not%20all%20users%20will%20remember%20this%2C%20I%20have%20enabled%20DLP%20policies%20to%20help%20catch%20these%20emails%20and%20encrypt%20them%20when%20needed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%2C%20these%20policies%20don't%20interact%20with%20each%20other%20like%20I%20thought%20they%20would.%20Even%20if%20an%20email%20is%20encrypted%2C%20it's%20still%20being%20scanned%20and%20flagged%20by%20DLP%20policies.%20As%20far%20as%20I%20can%20tell%20my%20only%20option%20is%20to%20turn%20on%20the%20DLP%20policies%20and%20set%20the%20action%20to%20%22encrypt%22%20anytime%20the%20information%20it's%20monitoring%20for%20is%20found.%20Whether%20the%20email%20is%20already%20encrypted%20or%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anyway%20to%20omit%20emails%20that%20have%20already%20been%20encrypted%20by%20the%20end%20user%20from%20being%20scanned%20by%20the%20DLP%20policies%3F%20Or%20for%20the%20DLP%20policies%20to%20detect%20that%20it%20has%20been%20encrypted%20and%20just%20let%20the%20email%20send%20through%20without%20reporting%20those%20instances%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20seems%20like%20the%20Encryption%20rule%20Microsoft%20enabled%20for%20users%20to%20encrypt%20their%20own%20emails%20is%20completely%20pointless%20if%20DLP%20is%20being%20utilized.%20End%20user%20training%20isn't%20even%20needed%20to%20teach%20them%20how%20to%20encrypt%20their%20own%20emails%2C%20but%20instead%20just%20enable%20DLP%20and%20have%20it%20encrypt%20everything%20that%20is%20being%20sent%20out%20with%20sensitive%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESimilar%20to%20what%20this%20user%20is%20commenting%20on%3A%20%3CA%20href%3D%22https%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F18628825-allow-dlp-rule-exception-for-encrypted-outbounds%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365.uservoice.com%2Fforums%2F289138-office-365-security-compliance%2Fsuggestions%2F18628825-allow-dlp-rule-exception-for-encrypted-outbounds%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-454632%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2093811%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20messages%20from%20being%20scanned%20by%20DLP%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2093811%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F301580%22%20target%3D%22_blank%22%3E%40EASchmitt%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20get%20anywhere%20with%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2251300%22%20slang%3D%22en-US%22%3ERe%3A%20Exclude%20messages%20from%20being%20scanned%20by%20DLP%20policies%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2251300%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20into%20this%20as%20well.%20Super%20helpful%20to%20have%20a%20DLP%20send%20a%20notification%20to%20the%20user%20stating%20%22We%20have%20detected%20information%20in%20the%20message%20that%20contains%20PII%2C%20and%20BLOCK%20it%20the%20first%20time%2C%20please%20send%20as%20an%20encrypted%20message%20and%20continue%20to%20block%20it%20until%20encryption%20is%20applied%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%20I%20know%20the%20safe%20guards%20of%20just%20encrypting%20random%20messages%20to%20get%20around%20the%20DLP.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am utilizing the EAC mail flow rule setup by Microsoft to allow users to encrypt messages by typing encrypt into the subject line of their email when sending out emails with sensitive information. Since not all users will remember this, I have enabled DLP policies to help catch these emails and encrypt them when needed.

 

The problem is, these policies don't interact with each other like I thought they would. Even if an email is encrypted, it's still being scanned and flagged by DLP policies. As far as I can tell my only option is to turn on the DLP policies and set the action to "encrypt" anytime the information it's monitoring for is found. Whether the email is already encrypted or not.

 

Is there anyway to omit emails that have already been encrypted by the end user from being scanned by the DLP policies? Or for the DLP policies to detect that it has been encrypted and just let the email send through without reporting those instances?

 

It seems like the Encryption rule Microsoft enabled for users to encrypt their own emails is completely pointless if DLP is being utilized. End user training isn't even needed to teach them how to encrypt their own emails, but instead just enable DLP and have it encrypt everything that is being sent out with sensitive information.

 

Similar to what this user is commenting on: https://office365.uservoice.com/forums/289138-office-365-security-compliance/suggestions/18628825-al...

2 Replies

@EASchmitt 

Did you get anywhere with this?

I am looking into this as well. Super helpful to have a DLP send a notification to the user stating "We have detected information in the message that contains PII, and BLOCK it the first time, please send as an encrypted message and continue to block it until encryption is applied

 

  I know the safe guards of just encrypting random messages to get around the DLP.