Exchange 365, DLP, Confidential Information, and Policy Tips

Good Morning, Experts!

We utilize Exchange 365. We would like to set a rule that will stop users from sending emails with specific text strings in either the Body, Subject, or Attachment Content to an external recipient. While setting up a basic Mail  Flow or DLP rule would be easy, we want to utilize behavior that will first warn the user that they are about to send an email with sensitive content, then allow them to send the message, with proper business justification.

I have worked with DLP to try and setup this rule. However, for the behavior I want (warning, then allow with justification) I think that Policy Tips would be the best (if not only) answer, since this allows the EXACT behavior we want. The problem is, Policy Tips are EXTREMELY limited on what information can be used.

In my example above (check Subject, Body, and Attachments for text strings, then notify user that email is sensitive before they can send, and allow with justification), the following error occurs:

"The NotifySender action isn't compatible with 'SubjectOrBodyMatches' predicate."

I wanted to see what the Experts out there thought. I do not see any possible way to use Policy Tips based on the criteria outlined. If there is an alternative to Policy Tips that would allow the emails to be blocked, then released with justification (and preferably with the Generate Incident Report action) I would be game.

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Not sure about alerting the user about this via Exchange rules, but you can have the mail forwarded the user's manager for approval or to someone else for approval before the email is sent out.
WoodraxAuthor Commented:
I had thought about the mail forwarding and release, but a lot of the information that would trip this type of rule is extremely time sensitive, so that solution is out. We utilize similar rules for incoming emails that match certain criteria, and have seen delays of hours while waiting for managers to release the messages.
timgreen7077Exchange EngineerCommented:
yeah I understand what you mean. other than that, that's the only solution I can think of.
CodeTwo SoftwareSoftware DeveloperCommented:
Hi Woodrax,
Although it will not be a perfect solution, you could use mail flow rules to block the message with an explanation "This email contains sensitive data."
Then, in the rule's exceptions, insert the condition "if the subject or body includes #bypass-policy"
In such a scenario, users would be able to use the specific keyword to bypass the mail-flow rule. You could add the keyword to the explanation mentioned before.
More of a workaround than a solution, but Exchange management is like that, sometimes.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
Answered author question. Closing question unless author reopens still requiring assitance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.