One of the new features of Microsoft Exchange SP1 is the support of mailtips in OWA (Outlook Web App). In this article I will show you how to work with DLP Policy and mailtips to prevent your user to send emails outside your organization with Passport number or Credit card number inside their emails.

First, if you don’t know what is DLP you should watch this short video done by Microsoft Team :



So let’s go to our ECP and jump in the Compliance Management section. Then we are going to add a new Custom DLP Policy :


DLP Policy and mailtips

Create a new Cutom DLP Policy

Give a name to your policy and switch the mode to Test with policy Tips. save

DLP policy and mailtips

Set the DLP Policy

Open you DLP Policy, go on rules section and add a new rule. Choose Notify Sender when sensitive information is sent outside my organization.

DLP Policy and mailtips

Add a rule to our Custom DLP Policy

At this step you’re going to define the conditions of the rule. So by default the rule is apply if the sender is outside the organization. Good. And if the message contains sensitive information. So click on the blue link “Select sensitive information types…

DLP Policy and mailtips

Define the sensitive information in our rule of the custom DLP Policy

You can define the types of sensitive information that will be check by Exchange. Microsoft Exchange 2013 is deliver with a lot of types (financial, health numbers, passport, debit card,…). I’m french (really?) so I’m going to choose “France Passport Number“, “EU Debit card Number” and “Credit card  number”. You can define the minimum and maximum of iteration or let by default any for both values.

DLP and mailtips

Yes, this is really sensitive !

Click on OK and let continue to set our DLP rule. We’ve defined the condition and now we are going to define the actions. I’ve delete the first one in the default rule because I don’t want to receive a report. So I just let the rule “Notify user by sending a Policy Tip…“. Then click in the blue link “Notify the sender but allow them to send ” to define the details of the actions.

DLP Policy and Mailtips

set the details of the actions taken in the rule of the custom DLP Policy

In the details you can choose to just notify the user but he will be able to send the message or you can block the message.

DLP Policy and Mailtips

details for the notification by mailtips

 I choose the first option because I’m a really cool guy (and I’m in a lab). If you choose one of the last options the mailtips will be different and will offer the possibility to the end-user to override the policy (with the last option he will have to provide a justification and this one will be send to a specific email).

At this step save everything your policy is ready…or almost. Why? Because you have to know : Once you update a rule in Exchange it can take up to ~15 minutes for the rule to propagate across the servers.

Morevover if we just talk about DLP policy for credit card and debit card number, If you’re using the fake numbers for your test, the numbers’ checksums will not match those of a valid credit card; therefore, the rule will not catch them.
At least the rule will look for corroborative evidence of a credit card number (e.g., keywords, expiration dates, etc.) in addition to the number itself (Exchange is a really smart product, definitively!).

So let’s go we have to test this rule ! Go on you OWA mailbox and start a new email. Enter a gmail or an email outside your company and begin to type your email. Include your credit card information. Wait 60 sec (yes it can take 60 sec to Exchange to parse the email and apply the rule) and you should see your mailtip :


A crazy user try to send sensitive informations

Really nice, isn’t it ? If you want you can customize the message for localization or your own needs (so you can notice on the screenshoot my very usefull message).

So now DLP and end user experience is the same on outlook 2013, OWA and ActiveSync devices. Just below a screenshot of OWA on a phone :

Mailtips and DLP

Mailtips on a Windows Phone

Security of the information is very important for most companies . The only way to be effective is the education of end user. However if education means restrictions and decrease the global productivity is not good. DLP is here to secure the information without any impact on the productivity.
DLP is easy to maintain, very understandable by users and very flexible. Everybody in your company work with sensitive data at different level so it is time to manage this with DLP!


Category: How to do; News; Servers
Published: 2/26/2014 21:14