DLP Notifications on Incoming External Email
We found that when using the "InOrganization" option in a rule, emails from external mail accounts triggering this rule caused notifications with the original email attached to be sent back outside the organization to the external sender.
The last thing we want is for sensitive information sent to us to be immediately sent back out over the internet!
This should be preventable when configuring the rules and it should be much more clearly documented.
The workaround we have in place is to block the outgoing messages at the transport level.
Office 365 support recommended the following:
Create ETR to block DLP notifications sent towards external addresses:
- if the recipient is Outside...
- if the "X-MS-Exchange-Generated-Message-Source" header contains: DLP Policy Agent
- delete the message