• ExchangeMaster

DLP "Bypass" in O365

Updated: Apr 20, 2021

Quick post, this time. I've discovered recently that a Microsoft DLP policy which includes a rule to scan for credit card numbers, will "pass" an email which includes card numbers separated from correlated expiration dates by even a single Unicode character. I consider this a false negative.

You can test this by selecting some example card data from any of a number of web sites, interspersing for example "‡" between the card number and the expiration date, then sending a message with the data. The closest thing to a fix for this, for now, would be to lower the confidence level in the DLP rule down to perhaps 40% or 50% confidence. This will create more false positives, which may be of less concern to your customers than a false negative. Presumably this bypass also would be effective in SharePoint, OneDrive, and Teams, as they use the same sensitive info type.

#Office365 #DLP

583 views1 comment

Recent Posts

See All

Recently I needed a quick script to set the two-letter O365 country codes, while my only source for the setting was the three-letter codes in a given AD forest. This presented a problem, because O365

If your customers have been hedging on Office versions, here's the answer to the question, "How long can we leverage our Office 2007 investment?" A: 31-Oct-2017. That's not the end of the story, thoug