Avatar of John Water
John Water
Flag for United States of America asked on

Microsoft O365 Data Loss Protection (DLP) policy to block Social Security Number not functioning properly.

I have set a MS O365 DLP policy to stop Social Security Numbers in email (including sent to or sent from outside and within our company). The policy was fully tested and working properly within the last 10 days. Now I have found the policy will not consistently block the email when the social security number is in the body of the email.
We are using policy tips.
It seems that sometimes SSNs with dashes are identified (policy tips are displayed) and SSNs with no dashes are not identified (no policy tips are displayed). Other times it is the opposite - where SSNs with dashes are not identified (no policy tips) and SSNs with no dashes are identified (policy tips are displayed)
In all these testing the Key word of SSN or Social Security Number is right before the actual number.
When SSN appears in an attachment, either with or without dashes it is identified and policy tips are displayed.

I have also have found the same issues when attempting to send email from outside sender - when SSNs in the body of the email - not blocked and when SSNs in the attachment - are blocked.

We need to be able to block Social Security Numbers from being transmitted in emails.

Does anyone know any options? How has the DLP policies in MS worked for others?I do not see where any DLP data is in the Audit logs. Are there any other locations to provide any information on the DLP activity?
I have see references to use Transport rules for blocking SSN - anyone have any thoughts (positive or negative)?

Thank you
Microsoft 365* DLPSecurity

Avatar of undefined
Last Comment
John Water

8/22/2022 - Mon
Vasil Michev (MVP)

"Common" sensitive types such as CC number and SSN are evaluated with lower certainty unless some "corroborative" evidence is found in the surrounding data, usually a keyword. Meaning that you can have 10+ SSNs in a single message and a detection will still fail if the surrounding text doesnt indicate that those are indeed SSNs and not some random numbers (which SSNs kinda are). Same for CC - I have attachment with 1000 CC numbers fail detection, while a single instance of the same table was detected just fine because I included the name, expiry and so on columns.

This is explained in the documentation: https://docs.microsoft.com/en-us/microsoft-365/compliance/what-the-sensitive-information-types-look-for?view=o365-worldwide#us-social-security-number-ssn

You can always create custom sensitive types that are "fine tuned" for your specific needs.
John Water

Thank you,
I reviewed the document and did verify the Key words "SSN" or "Social Security Number" are right before the actual numbers. This once was working with no issues and now it is not working consistently.
Are there any options to get any logs or such to get information on why it did not work? It really appears to trigger or not, with no evidence why it did or didn't.
With that, I am thinking only option is to re-create rule, any thoughts on this or any other option?

Again thank you for your time
Vasil Michev (MVP)

Well, we only have some info in the logs for when matches occur, nothing afaik can tell you why a match didnt occur. Open a support case I suppose.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
John Water

Yes, I have a support ticket opened but they have not gotten back with me yet and a lot of the time this site provides better solutions, faster.

thank you
John Water

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question