(D)ata (L)oss (P)revention, content escapes your hands

Have no fear coz DLP is here and it won’t let your data to escape, at least if you made right configuration. It isn’t an automatic feature that you enable and forget.

There a lot of different aspect you have to consider with DLP policies.

What to protect?

You can protect what you want, it doesn’t have to be only super secret content, it can but don’t have to.

You can choose from the following conditions for your rule.

Let me open these a bit.

Content contains means that you select sensitivity info types and labels.

Sensitivity info types can be predefined or you can create your own from Data classification menu.

You can add a primary element with Regular expression, use a keyword list, select from dictionary or use functions.

Regular expressions.

Regular expressions (RegEx) are strings of text that create patterns to help identify and match the info you’re looking for. RegEx strings can be formatted many ways. For example \d{6} identifies a six-digit number in content


Keyword list.

Keyword lists identify the words and phrases you want this info type to detect. For example, the keyword list to identify Netherlands VAT numbers is ‘VAT number, vat no, vat number, VAT#’.


Keyword dictionary.

Unlike keyword lists (which are limited in size) keyword dictionaries provide easier management of keywords and at a much larger scale.



Functions are used to find text that’s formatted in a specific way. For example, ‘func_credit_card’ looks for 14 to 16 digit credit card numbers that can be formatted or unformatted and which must pass the Luhn test.Choose functions

Example of RegEx functionality

Microsoft has defined multiple different RegEx queries. I will choose the one with Finnish telephone number.

So it expression starts with +358 and then it presumes you have a zero but that’s not actually right. If my number is 04412121212 it will be displayed outside as +3584412121212

There a website that you can check your RegEx query with https://regex101.com/

When I copy paste the expression there and try it out it displays the following

but when I add a zero between, it works.

So to get Microsoft defined expression to work you can remove the zero from the query.

And voila, it works.

Now you could use DLP to prevent from sending out your mobile number in an international format. I don’t why you should but you could.

As long as you understand how expressions work, you can find pretty much anything from the content.

When the primary element is matched, any supporting elements will match only when found within this proximity to the primary element. The closer the primary and supporting elements are to each other, the more likely the detected content is going to be what you’re looking for.

And supporting elements. Adding supporting elements increases the likelihood that the detected info is a true match. For example, let’s say you want to detect nine-digit employee ID numbers. Not all nine-digit numbers are employee ID numbers, so you can add supporting elements to look for related text near the ID numbers, such as keywords like “employee”, “badge”, and “ID”. When the primary element is matched, any supporting elements will match only when found within the character proximity to the primary element.

And additional checks from the content. To further refine the evaluation and detection of matching items, you can include additional checks that include or exclude specific text and/or patterns.

I will create the following for my example.

And choosing the confidence level.

And done.

Creating a rule

Now back to Data Loss Prevention

Choose a custom policy

Add a fancy name

Choose the location and exclusions that you need.

Create a custom rule

Choose actions for the rule. You can also block third-party apps in the actions which in kind of cool feature.

I will choose restrict access and everyone as my super secret number won’t then be leaked.

And it means that Exchange email won’t be sent to recipients inside or outside your organization. For files in SharePoint, OneDrive, and teams, only the owner, last modifier, and site admin will have access.

So really really secret.

Notifying the user

Then you can add a notification for the user, policy tip is a nice one to choose.

And Microsoft reference for supported policy tips.

You can Test it out first (which is reasonable for production) but I will go full speed on turning it on right now.

End-user experience

User send an email with content that matches the expression made previously.

And they get and email saying that message was blocked and why it was blocked.

Final words

This is just one example on what you can block. With the possibilities given you can block what ever needed to protect your content.

If you have any questions on Information protection, please reach out to me on LinkedIn or Twitter.

KEEP CALM AND PROTECT PRIVACY Poster | Christian | Keep Calm-o-Matic
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *