Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Allow DLP rule exception for encrypted outbounds

DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.

257 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Josh shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    12 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Steven commented  ·   ·  Flag as inappropriate

        November 4, 2018 - Still a problem. It's pretty obvious Transport Rules are not applied before DLP rules like the documentation says here - https://docs.microsoft.com/en-us/office365/securitycompliance/how-dlp-works-between-admin-centers#how-dlp-in-the-security--compliance-center-works-with-dlp-and-transport-rules-in-the-exchange-admin-center.

        Considering this has been a problem for at least over a year... I wonder if Microsoft reads this stuff.

        I guess I'll save my typing. What a cluster-fsck.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Agreed....Where a sender is inside the organization and has already encrypted an outgoing email, it does not make sense that the default HIPPA compliance DLP policy would then inspect the email. For the encryption process has already deemed the email as compliant.

      • Anonymous commented  ·   ·  Flag as inappropriate

        We have been struggling with this also. If you create a Mail flow rule to try to do this, it does not work. I really wish MS would not push things out like this so untested! MS please fix DLP or Mailflow rules!

      • Anthony J Vlachos commented  ·   ·  Flag as inappropriate

        This is still an issue, just spent almost 2 hours on the phone with support to find out we could not override the DLP rule and prevent users from being falsely notified after they sent a secure email.
        Time to get this updated.

      • Jeremy commented  ·   ·  Flag as inappropriate

        Any update on if this is going to be possible in the near future? My clients are also requesting this feature. Until it's in place, they only consider this a partial solution, or will not use it at all to help ensure financial data is secured.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Got very surprised when I discovered this could not be achieved. Now the function is quite confusing for our users who receive an email alert even if they encrypt the mail.

        +The Swedish report button text is wrongly translated and has the opposite meaning. Totally misleading.

      • Shane commented  ·   ·  Flag as inappropriate

        A major dropped ball in my opinion. Should be very simple - setup a rule to check for sensitive data. If the rule is triggered, stop the e-mail UNLESS the message is already encrypted, then let the message go free. Please get this changed right away MS!!

      • Zeff Wheelock commented  ·   ·  Flag as inappropriate

        I have an email transport rule. Apply This Rule If... The Recipient is located outside of the organization AND The message contains any of these sensitive information types... U.S. Social Security Number (SSN). Do the following: Encrypt the messages with the previous version of OME AND Notify the Sender with a policy tip: Notify the sender, but allow them to send. I am trying to add an exception Except If The Subject includes encrypt (or even message header Subjects includes encrypt). I get an error One of the conditions you specified can't be used for rules where you want to notify the sender. Error Details: The NotifySender action isn't compatible with 'Subject Contains' predicate. We want to notify our users when they do not secure an email correctly.

      • sk commented  ·   ·  Flag as inappropriate

        Yes I agree. I would like to send an educational email back to the user (and not deliver the message) if DLP match EXCEPT if they encrypted the message

      • Jeff commented  ·   ·  Flag as inappropriate

        Yes this enhancement is crucial for the business process. Has there been any advancement in this area?

      • Anonymous commented  ·   ·  Flag as inappropriate

        Yes, I agree. The emails the DLP rules under Security and Compliance are much better than the email bounces you receive when you setup DLP policies in Exchange. However, since you cannot setup keyword exceptions on the Security and Compliance section of Office 365, I agree this would be a great feature update.

      Feedback and Knowledge Base