Allow Office DLP rule exception for encrypted outbound emails
DLP rules do not allow an exception of the predicate "MessageTypeMatches" with the notify sender action. Doing so results in the error:
One of the conditions you specified can't be used for rules where you want to notify the sender. Error details: The NotifySender action isn't compatible with 'MessageTypeMatches' predicate.
I would like to trigger a rule on outbound matches unless the message is encrypted in order to enforce our internal policy compliance.
I like the idea of having the mail flow rule and the DLP policies aligning. What we see today is:
* Mail flow rule works with Outlook Win32 app, but not other platforms, ie. OWA, Mac, etc.
* DLP policies work great when trying to use the share option in SharePoint or OneDrive
It would be nice to have an option that provided a DLP policy that applied to both Sharing and Email and worked with all platforms.
Would be nice if the O365 Compliance DLP policy and Exchange mail flow DLP rules could work in tandem to identify and block transfer of sensitive information but also allow that behavior if the message in encrypted or the sender matches a group/role allowing that action.
Please add me to this.
Carl Slaughter commented
Please add me to this!
Joe Koodray commented
This is a rudimentary process that should have been incorporated when the DLP process was set up. How can you ask staff to follow a process - encrypt sensitive data when sending outbound via email - and when they do - label them as non-compliant? This can't be that difficult to implement - maybe the solution is a transport rule? I'm was about to socialize an email to staff informing them that blocking will commence - but DLP will flag regardless. Help?
Michael Adams commented
I just spent a good hour researching and testing to find this via a Microsoft forum thread explaining why our encrypted emails were still getting caught by DLP. We had a mail transport rule setup and a similar DLP rule - but the transport rule allows an exception to quarantine if the email was encrypted. I do not understand why if our transport rule allows an exception for encrypted messages that the DLP policy would fail to work in conjunction with that?
The funny thing is that if we weren't using the "Fancy DLP" stuff via the portal in the the EAC, then editing the Mail Transport rule allows you the option to "Add this to DLP Policy" if you're using the "Simple Exchange Only DLP stuff".
Cumbersome but works - in EAC, add Rule to modify subject (probably already have one to apply OME). Add DLP with top priority to check subject and stop processing additional DLP policies.
This is beyond absurd! I just chewed out an employee for not using the email encryption functionality because I got an alert .... only to find out THEY did do the right thing and it's Office365 that's screwed up. Why on earth would it ever be considered desirable behavior to treat encrypted and unencryped emails as indistinguishable for DLP purposes? Or is that a statement on how much MS trusts Outlook encryption????
Damon LaBette commented
We are trying to get our users to encrypt. DLP notifications are set to go to a central admin for any outbound sensitive information. Even when user is doing things right and encrypting their messages, both they and the central admin get notifications for messages that were sent encrypted.
this has been here for over two years. there is a DLP / encrypted exception available for mail flow rules (but mail flow rules can't check attachments), so this is extremely important.
WHY?!? Why does Microsoft continue to ***** sys admins like this? This needs to be fixed! 4 calls and 16 hours later, support led me here. WHAT A CROCK! How do we get users to pay attention to DLP alerts when they are trying make their best effort to protect data (like encrypting email before sending) and they still get these notifications stating they did something wrong! Microsoft MUST BE REPLACED WITH A SERVICE PROVIDER THAT ACTUALLY PROVIDES SOLUTIONS THAT WORK!
This is stupid. MS, you are failing.
Josh - can you achieve your stated outcome by just auto-encrypting the outbound message if it matches your conditions? Above you want to block the message and advise the sender unless it is encrypted.
Microsoft, "hello...hello"...could you resolve this issue please?
November 4, 2018 - Still a problem. It's pretty obvious Transport Rules are not applied before DLP rules like the documentation says here - https://docs.microsoft.com/en-us/office365/securitycompliance/how-dlp-works-between-admin-centers#how-dlp-in-the-security--compliance-center-works-with-dlp-and-transport-rules-in-the-exchange-admin-center.
Considering this has been a problem for at least over a year... I wonder if Microsoft reads this stuff.
I guess I'll save my typing. What a cluster-fsck.
Agreed....Where a sender is inside the organization and has already encrypted an outgoing email, it does not make sense that the default HIPPA compliance DLP policy would then inspect the email. For the encryption process has already deemed the email as compliant.
We have been struggling with this also. If you create a Mail flow rule to try to do this, it does not work. I really wish MS would not push things out like this so untested! MS please fix DLP or Mailflow rules!
Anthony J Vlachos commented
This is still an issue, just spent almost 2 hours on the phone with support to find out we could not override the DLP rule and prevent users from being falsely notified after they sent a secure email.
Time to get this updated.
Any update on if this is going to be possible in the near future? My clients are also requesting this feature. Until it's in place, they only consider this a partial solution, or will not use it at all to help ensure financial data is secured.
Got very surprised when I discovered this could not be achieved. Now the function is quite confusing for our users who receive an email alert even if they encrypt the mail.
+The Swedish report button text is wrongly translated and has the opposite meaning. Totally misleading.