Use Case 6: DLP block/alert by Microsoft Office 365

This use case designed to block and notify the sender of an email with DLP X-Header response “DLP reject” about the email’s unsuccessful delivery, along with an explanation message and status code. However, if you use Forcepoint Security Manager notifications or Microsoft Office 365 notifications, this requirement is already fulfilled.

Steps

  1. In Microsoft Exchange admin center page, navigate to Mail flow > Rules. The Rules screen appears.
  2. Click Add a rule + > Create a new rule. The New transport rule screen appears.
  3. On the Set rule conditions page,
    1. Enter a unique name (ex. DLP Block/Alert by Microsoft Office 365) for the rule in the Name field.
    2. In Apply this rule if* field:
      1. Select The message headers… from the first drop-down list.
      2. Then select matches any of these text patterns from the second drop-down list.
      3. Click Enter text. The specify header name window appears.
      4. Enter message header X-Forcepoint-DLP-Email and then click Save.
      5. Click Enter words. The specify words or phrases window appears.
      6. Enter header text DLP-Reject and then click Save.
    3. In Do the following* field:
      1. Select Block the message from the first drop-down list.
      2. Then select reject the message and include an explanation from the second drop-down list.
      3. In specify rejection reason prompt, enter the alert message (ex. Your email was blocked because it contained sensitive data which breached your organization's email DLP policy).
      4. Click Save.
      5. Then click + in Do the following* field. New And field will opens.
    4. In And field:
      1. Select Block the message from the first drop-down list.
      2. Then select reject the message with the enhanced status code of from the second drop-down list.
      3. In enter enhanced status code prompt, enter the status code (ex. 5.7.1).
      4. Click Save.


    5. When you complete setting the Set rule conditions page, click Next.
  4. On the Set rule settings page, configure the following settings:
    1. Select Enforced as Rule mode.
    2. Select High in Severity.
    3. Tick Stop processing more rules.
    4. When you complete setting the Set rule settings page, click Next.
  5. On the Review and finish page, verify the settings and click Finish.
  6. The Transport rule created successfully message appears. Then, click Done.

    The inbound mail flow rule for the DLP Block/Alert by Microsoft Office 365 is created.

    Note: After creation of the mail flow rule (DLP Block/Alert by Microsoft Office 365), it might take 30 minutes or more for the new rule to be applied to emails.