DLP "Bypass" in O365
Updated: Apr 20
Quick post, this time. I've discovered recently that a Microsoft DLP policy which includes a rule to scan for credit card numbers, will "pass" an email which includes card numbers separated from correlated expiration dates by even a single Unicode character. I consider this a false negative.
You can test this by selecting some example card data from any of a number of web sites, interspersing for example "‡" between the card number and the expiration date, then sending a message with the data. The closest thing to a fix for this, for now, would be to lower the confidence level in the DLP rule down to perhaps 40% or 50% confidence. This will create more false positives, which may be of less concern to your customers than a false negative. Presumably this bypass also would be effective in SharePoint, OneDrive, and Teams, as they use the same sensitive info type.