• Dan Schultz

DLP "Bypass" in O365


Quick post, this time. I've discovered recently that a Microsoft DLP policy which includes a rule to scan for credit card numbers, will "pass" an email which includes card numbers separated from correlated expiration dates by even a single Unicode character. I consider this a false negative.

You can test this by selecting some example card data from any of a number of web sites, interspersing for example "‡" between the card number and the expiration date, then sending a message with the data. The closest thing to a fix for this, for now, would be to lower the confidence level in the DLP rule down to perhaps 40% or 50% confidence. This will create more false positives, which may be of less concern to your customers than a false negative. Presumably this bypass also would be effective in SharePoint, OneDrive, and Teams, as they use the same sensitive info type.

#Office365 #DLP

Recent Posts

See All

O365 UsageLocation & Country Codes

Recently I needed a quick script to set the two-letter O365 country codes, while my only source for the setting was the three-letter codes in a given AD forest. This presented a problem, because O365

Global Office 365 Deployment

ExchangeMaster

© 2020 Dan Schultz