Track outbound emails with Specific sensitivity label

Question

Track outbound emails with Specific sensitivity label

jpcapone 1,776

Is there a way to track emails with labeled attachments when they are exfiltrated? I set up an IRM policy to do just that but the File sensitivity label field is empty:

User's image

Chandra Boorla 14,675 Reputation points Microsoft External Staff Moderator

2025-04-15T17:42:50.74+00:00

@jpcapone

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

2 answers

Your answer

Chandra Boorla 14,675 Reputation points Microsoft External Staff Moderator

2025-04-15T17:42:50.74+00:00

@jpcapone

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

@jpcapone

Thank you for raising this important question around tracking exfiltration of emails with labeled attachments. You are absolutely right to expect visibility into those file-level labels, especially when enforcing protection policies.

Why the "File sensitivity label" is empty

Even though you've set up an IRM policy, the reason you're seeing a blank "File sensitivity label" in the audit logs is because:

IRM protects but doesn’t classify - IRM enforces access control (e.g., "Do Not Forward"), but it doesn't apply or log sensitivity labels on attachments.
Attachments require separate labeling - The email and the attachments are treated separately. For labels to appear in logs, the attachment itself must be labeled, either manually or via auto-labeling.

How to Fix This

Manual Pre-Send Labeling - Before attaching, users can manually label files:

Right-click the file > Properties > Sensitivity
Or for Office docs, apply labels via the ribbon in Word/Excel/PowerPoint

Auto-Labeling via Microsoft Purview - Set up rules in Microsoft Purview to automatically label attachments based on:

File content (e.g., credit card numbers, SSNs)
Metadata (e.g., filenames with “confidential”)

DLP Policies for Enforcement - Use Purview DLP with rules like:

Condition: Attachment has sensitivity label = X AND recipient is external
Action: Block with override or generate an alert

Optional - Consider integrating Microsoft Defender for Cloud Apps (MDCA) for real-time alerts and visibility when labeled content is shared externally.

Test this - Try sending a labeled Word or PDF file externally and confirm if the label appears in:

Purview > Content Explorer
Purview > Audit logs

I hope this information helps. Please do let us know if you have any further queries.

Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

Thank you.

Answer 2

jpcapone 1,776

I have configured each piece you identified in my testing.

Manual Pre-Send Labeling - Before attaching, users can manually label files:

Right-click the file > Properties > Sensitivity
Or for Office docs, apply labels via the ribbon in Word/Excel/PowerPoint

DLP Policies for Enforcement - Use Purview DLP with rules like:

Condition: Attachment has sensitivity label = X AND recipient is external
- Action: Block with override or generate an alert
  Activity explorer
This is an alert regarding the same event and IRM is still empty
Please advise.

Chandra Boorla 14,675 Reputation points Microsoft External Staff Moderator

2025-04-14T18:29:02.9833333+00:00
@jpcapone

Thanks for sharing the screenshots and confirming that you have already set up manual labeling, DLP policies, and are seeing alerts in Activity Explorer. You are definitely on the right track.

Based on your setup and the fact that "File sensitivity label" is still empty in the IRM logs, here are a few points to consider:

Why this might be happening:

Attachments and Emails are Audited Separately - Even if the attachment is labeled, the IRM or Unified Audit Log might not reflect the "File Sensitivity Label" unless that file was labeled using Microsoft Purview built-in labeling, and it's a supported file type (like .docx, .xlsx, .pdf).

Labels with Encryption May Not Show in IRM Logs - If your label includes encryption (like "Do Not Forward" or custom permissions), the label might trigger DLP alerts but may not populate the "File Sensitivity Label" field in the IRM event logs due to how encrypted content is handled in audit telemetry.

The Activity Explorer is the More Reliable Source - Since you are seeing the expected behavior in Activity Explorer, that's currently the best source of truth for tracking labeled attachments - even if IRM logs show that field as empty.

Recommendations:

Ensure that the attachment file type supports labeling and that the label was applied via Microsoft Purview (unified labeling) rather than AIP classic.

Test with a label that has no encryption, to see if the label field shows up as expected.

If not already enabled, consider turning on Microsoft Purview Audit (Premium) for enhanced visibility into file-level labeling events.

I hope this information helps. Please do let us know if you have any further queries.

Thank you.
Chandra Boorla 14,675 Reputation points Microsoft External Staff Moderator

2025-04-16T17:03:56.3433333+00:00

@jpcapone

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
jpcapone 1,776 Reputation points

2025-04-30T01:00:42.9833333+00:00

I have evaluated the information provided and I also opened a ticket. I am confused as to how this can be so challenging when all of the data points - to run a report like this - are available in different reports and alerts in the Purview and Security consoles but there is no way to pull it all together. I can't be the only person trying to do this. I am available to test or try anything please advise. TrackingID#2504180040007815
Chandra Boorla 14,675 Reputation points Microsoft External Staff Moderator

2025-04-30T19:43:34.25+00:00

@jpcapone

Thank you for your follow-up and for sharing the Tracking ID. I completely understand your frustration, and you're absolutely not alone in wanting a unified way to track exfiltration of labeled content across Microsoft 365.

You're right: the data does exist, just across different experiences like Purview's Audit Logs, Content Explorer, DLP alerts, and Defender for Cloud Apps (MDCA). However, today there isn’t a built-in, centralized dashboard or reporting view that correlates email send events with labeled attachments in a single pane of glass.

That said, your scenario, tracking exfiltration of files based on sensitivity label, is a very common ask, especially in regulated environments, and I appreciate you being proactive in raising it.

Since you've already opened a support case, you're absolutely on the right track, Microsoft Support will be able to investigate in-depth, including back-end signals and cross-service telemetry, which may not be visible through standard reporting interfaces.

Appreciate your patience.

Thank you.

Share via

Track outbound emails with Specific sensitivity label

2 answers

Your answer