Microsoft 365 DLP Switches from Envelope to Header for Sender Evaluations

Posted on by Tony Redmond

Two Kinds of DLP

As you might be aware, two types of Data Loss Prevention rules are available for Exchange Online:

  • Exchange Online Transport Rules (ETRs): Because all email must travel through the transport system, it made sense for Microsoft to use transport rules to implement DLP in Exchange 2010. ETRs are available for Exchange Server and Exchange Online.
  • Microsoft 365 DLP: Otherwise known as unified DLP, this is the preferred approach for DLP within Microsoft 365 tenants, notably because this version is under active development.

When Microsoft first launched unified DLP in 2016, its Exchange capabilities were weaker than ETRs. This, plus a desire to have the same rules active within both on-premises and cloud sides of hybrid environments, made some customers reluctant to embrace unified DLP. Microsoft steadily closed the gap with ETRs over time and reached functional equivalence in 2020. For most organizations, unified DLP is the right answer when looking for a solution to block inadvertent sharing of confidential or sensitive information from SharePoint Online, OneDrive for Business, and Exchange Online. DLP also supports Teams messaging, but unlike the basic workloads, DLP for Teams requires Office 365 E5 or Microsoft 365 equivalent licenses.

Tweaking Continues

Some tweaking of unified DLP processing continues to improve its capabilities and performance. MC306117 (December 17) is an example. The change announced in this message center notification tells tenants that starting January 20, 2022 (presumably – the notice says 2021, but that seems like a year-end error), when DLP evaluates sender-based conditions for email, it will use header sender addresses instead of envelope sender addresses. This makes unified DLP work the same way as ETRs.

Sender Addresses

The change is sensible because most people consider envelope sender addresses when they think about rules they might want to apply. In the world of SMTP, messages have two parts:

  • Envelope: Used by mail servers to route messages. The format of envelopes is defined in RFC5321, and the sender information is in the Mail From field. When email reaches its destination, the server discards the envelope and saves the Mail From address in the Return-Path message header.
  • Message: Defined in RFC5322, SMTP messages have a bunch of headers and a body. Email clients display the From message header as the message sender.

There is no requirement that the Mail From address in the envelope matches the From address in the message. In fact, it’s very common that the two differ. Take the example of a company which uses a marketing platform like HubSpot to send email to mailing lists. The Mail From address in the envelope will be for a HubSpot server while the From address in the message will be whatever the company wants the message recipient to see.

Checking Who Sent Email

I don’t use my Exchange Online email address to sign up for email communications with many companies, so the number of messages of this type which arrive are limited. However, I found a message from Quest Software to illustrate the point (Figure 1). The sender information in the envelope is revealed by using Outlook’s Message Header Analyzer add-in. You can see that the Return-Path header is different to the sender information shown by the client.

Checking Header and Envelope sender addresses
Figure 1: Checking Header and Envelope sender addresses

In this instance, the change for DLP processing on January 20 means that DLP will evaluate sender address conditions against Quest@quest.com instead of QuestInc@innovation.quest.com. The change will happen automatically.

Microsoft says that organizations wishing to continue evaluating sender addresses based on envelope data will have the option to change the tenant DLP configuration (they don’t say how). They also say that organizations can configure DLP policy rules using the SenderAddressLocation parameter. This isn’t available yet, but if the same approach is used as for ETRs, the syntax will be:

# Update DLP rule to use both header and envelope sender info for evaluations
Set-DlpComplianceRule -Identity "Rule name" -SenderAddress Header Envelope HeaderOrEnvelope

The values are:

  • Header: Use the From message header (new default from January 20).
  • Envelope: Use sender information contained in the Mail From value in the message envelope (current default).
  • HeaderOrEnvelope: Use both.

Overall, the change makes sense and shouldn’t affect too many organizations, but it’s something to test if your company uses Microsoft 365 DLP policies to process Exchange Online content.

One Reply to “Microsoft 365 DLP Switches from Envelope to Header for Sender Evaluations”

  1. Pingback: Threat Explorer Useful Feature in Microsoft Defender for Office 365

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.