Share via

How can I view file attachments sent via Outlook emails with Microsoft Purview?

Brendan Short 0 Reputation points
2024-07-15T03:45:08.93+00:00

We are wanting to know the contents of file attachments are being sent via Outlook, externally to our network. We are concerned our staff are sending inappropriate private company data to their personal email addresses.

When i use Content Explorer in Purview and view a SIT such as Australian Tax File Number I can see the body of the message, and the metadata associated with the match etc, but I am unable to view the attachment to the email.

Purview Audit does not appear to have this functionality.

Could anyone please advise how I can view any Outlook file attachments being sent externally to our network in Purview?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,995 questions
Office
Office
A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.
1,665 questions
Outlook
Outlook
A family of Microsoft email and calendar products.
3,903 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,195 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. PRADEEPCHEEKATLA-MSFT 89,816 Reputation points Microsoft Employee
    2024-07-15T10:33:35.6066667+00:00

    @Brendan Short - Thanks for the question and using MS Q&A platform.

    Microsoft Purview Information Protection connector does not support viewing file attachments sent via Outlook emails. The connector only supports streaming audit logs into the MicrosoftPurviewInformationProtection standardized table, which contains information related to Microsoft Purview scanner events, sensitivity label events, protection events, and file deletion events.

    However, you can use Microsoft 365 Defender to view file attachments sent via Outlook emails. Microsoft 365 Defender provides advanced hunting tables that allow you to query and analyze data from various Microsoft Defender products, including Defender for Office 365 (formerly known as Office 365 Advanced Threat Protection). The EmailAttachmentInfo table in Defender for Office 365 provides information about files attached to emails, including the file name, file type, file size, and SHA256 hash value.

    To view file attachments sent via Outlook emails in Microsoft 365 Defender, you can use the advanced hunting feature to create a query that filters for emails with attachments sent externally to your network. For example, the following query retrieves all emails with attachments sent to external recipients in the last 30 days:

    EmailAttachmentInfo
| where AttachmentType != "Message"
| where IsExternal == true
| where Timestamp > ago(30d)
| project Timestamp, SenderFromAddress, RecipientEmailAddress, AttachmentFileName, AttachmentFileType, AttachmentFileSize, AttachmentSHA256Hash

    I hope this helps! Let me know if you have any further questions.

    0 comments
  2. ROMAIN DALLE 0 Reputation points MVP
    2024-07-18T12:00:56+00:00

    Hi @Brendan Short ,
    In case you need to run investigations activities on data such as analyzing attachments in e-mails that meet your criterias, you should find useful to leverage Purview eDiscovery capabilities, and especially eDiscovery Premium solution if you have E5 or Compliance E5 licences in your tenant.

    Please see how eDiscovery works through following pages :

    https://learn.microsoft.com/en-us/purview/ediscovery-standard-get-started

    https://learn.microsoft.com/en-us/purview/ediscovery-overview

    Regards,
    Romain

    ** Please mark this answer as an "accepted answer" if this is the case. **

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.