DLP Policy not blocking SSN number only

November 13, 2019 | by iaur | posted as Exchange Online, Protection

Scenario

Unable to block emails containing SSN number only.

Cause

With how DLP works it requires the SSN and the Keyword.

Sensitive Information Types: https://docs.microsoft.com/en-us/exchange/policy-and-compliance/data-loss-prevention/sensitive-information-types?view=exchserver-2019

Steps on how to automatically reject/block sensitive data patterns (SSN)

1. Go to “Office 365 Admin Center” then choose “Admin Centers” 
2. Select “Exchange” and in the Exchange Admin Center go to “mail flow“
3. Under “rules” click on “+” to add a rule (create a new rule)
4. You can name the rule any name you want (sample Block SSN Data)
5. In *Apply this rule if – select “The recipient is located…” then select Outside the organization
6. Click “add condition” – select “The subject or body matches…” then enter this pattern \d\d\d-\d\d-\d\d\d\d (US-SSN patter
7. Under *Do the follow.. – if you’d like to block this message select “Reject the message with the explanation” – then you can type in any reason you want to be disclosed.
8. Optional – if you’d like the admin to be informed of the incident you can select – “Generate incident report and send it to…”  – set the recipient who will receive the report and manage the content “you can select all“.
9. Set priority to 0
10. Set Audit this rule with severity level: “High“
11. Choose “Enforce” for the mode of this rule.
12. Then “Save“

References

https://www.itpromentor.com/dlp-fine-print/

https://docs.microsoft.com/en-us/office365/securitycompliance/create-a-custom-sensitive-information-type