Unlabeled PDF Attachments Sent Externally dlp

Question

Hi everyone,

I am facing an issue with a DLP policy configured in Microsoft Purview that is not triggering as expected on Exchange Online.

ENVIRONMENT

• License: Microsoft 365 E5
• Workload: Exchange Online
• Policy mode: Enforce
• Policy priority: 0

POLICY CONFIGURATION

Conditions:

• Content is not labeled → Attachments only
• File extension is: pdf
• NOT Recipient domain is: [internal domain]

Action:

• Deliver the message to the hosted quarantine

Scope:

• Exchange email → specific security group (all test users are members)

ISSUE

Despite the policy being fully enforced, outbound emails containing unlabeled PDF attachments are being delivered normally to external recipients. The quarantine action is never applied.

More importantly, no events are recorded in the Activity Explorer (no DLPRuleMatch), which confirms that the DLP engine is not evaluating the rule at all — not just failing to act on it.

TROUBLESHOOTING ALREADY PERFORMED

1. Policy is in Enforce mode
2. Exchange email is included in the policy scope
3. All sensitivity labels are published via label policies
4. Rule priority is set to 0 (highest)
5. Quarantine action is properly configured
6. Waited more than 24 hours after policy creation
7. Activity Explorer shows no DLPRuleMatch events whatsoever
8. Tested with a PDF file confirmed to have no MIP label applied
9. No outbound SMTP connectors exist that could bypass Exchange transport

ADDITIONAL CONTEXT

The exact same DLP policy configuration is working correctly on another tenant with the same E5 license. This suggests the issue is specific to this tenant rather than a configuration error.

QUESTION

Has anyone experienced a similar issue where the DLP engine completely skips rule evaluation on Exchange Online despite the policy being enforced and correctly scoped? Could there be a tenant-level setting or a backend anomaly that would prevent the DLP engine from inspecting outbound emails?

Any guidance or diagnostic steps would be greatly appreciated.

Thank you.

Answer 1

Hi Mariama,

Based on the information you've provided, the most notable observation is that there are no DLPRuleMatch events in Activity Explorer. This suggests that the policy may not be reaching the evaluation stage rather than simply failing to enforce the quarantine action.

A few things I would recommend checking:

• Confirm that the users sending the test emails are within the policy scope and that the scoped group is resolving correctly.
• Test with a simpler DLP rule (for example, a rule that detects a keyword or sensitive information type) to verify that Exchange Online DLP evaluation is working in the tenant.
• Verify that the PDF attachments are being successfully indexed and inspected by Microsoft 365, as the "Content is not labeled" condition depends on content inspection.
• Review the policy for any exclusions or conditions that could prevent evaluation.

Since you've mentioned that the same configuration works in another tenant with the same licensing, and no DLP evaluation events are being generated in this tenant, this could indicate a tenant-specific policy synchronization or backend service issue.

If the above checks do not identify the cause, I would recommend opening a Microsoft Support case so the backend DLP processing and policy deployment status can be reviewed in more detail.

Could you also confirm whether other DLP policies in the tenant are generating matches successfully, or if the issue is isolated to this specific policy?

Answer 2

The described configuration relies on supported DLP conditions and actions for Exchange, but there are a few important behavioral constraints and validation steps to check when a rule appears to be skipped entirely.

Key points from supported behavior

1. Supported conditions/actions for Exchange DLP
   • “Content is not labeled” and “File extension is” are valid DLP conditions for Exchange.
   • “Deliver the message to the hosted quarantine” is a supported action for Exchange DLP.
   • These conditions and actions are part of the standard DLP rule set for Exchange; they are evaluated by the same engine that drives DLPRuleMatch events in Activity Explorer.
2. Policy tips vs. enforcement
   • Outlook clients only show policy tips for a subset of conditions, but this does not affect enforcement on the server side.
   • The rule can still enforce (e.g., quarantine) even if no policy tip is shown, as long as the conditions are supported for Exchange.
3. Multiple DLP locations and overlapping configurations
   • Policy tips and DLP behavior can be affected if policies are configured in multiple locations (Exchange admin center vs. Purview portal) for the same scenario.
   • Guidance is to configure or enable policy tips and DLP in only one place to avoid conflicts.
4. Conditions that can prevent evaluation
   • DLP rules that depend on external sharing state (for example, “Content is shared from Microsoft 365” in SharePoint/OneDrive) only evaluate once content is indexed as externally shared. A similar principle applies: if a condition is not met or cannot be evaluated, the rule will not trigger and no DLPRuleMatch is logged.
   • For Exchange, attachment-related conditions such as “Any email attachment’s content could not be scanned” or “Document or attachment is password protected” are evaluated only when the engine can inspect the attachment. If the attachment is unsupported or cannot be scanned, those conditions (or exceptions) can short‑circuit other logic.
5. Policy configuration errors
   • If multiple rules in the same policy detect the same data with the same instance count and confidence, this can cause configuration issues. The recommendation is to have a single rule per set of sensitive data/conditions.
   • A mismatch between the policy status and rule configuration (for example, policy in “Test it out first” while rules are configured with user notifications) is a known cause of DLP behavior not matching expectations.

Targeted diagnostic steps for this scenario

1. Validate rule conditions against Exchange DLP reference
   • Confirm that the rule uses only Exchange-supported conditions for evaluation:
     • “Content is not labeled”
     • “File extension is”
     • Recipient domain condition (NOT internal domain)
   • Ensure there are no additional conditions or exceptions (for example, unsupported exceptions or sensitivity-label-based exceptions) that could prevent evaluation.
2. Check for overlapping or conflicting DLP policies
   • Verify that there are no other DLP policies or mail flow rules in Exchange that:
     • Use the same conditions (unlabeled content, PDF attachments, external recipients), or
     • Contain exceptions such as “Any email attachment’s content could not be scanned” or “Document or attachment is password protected” that might cause messages to bypass the rule.
   • Ensure DLP is configured in a single admin surface for this scenario (either Purview or Exchange admin center, not both for the same logic).
3. Confirm that the rule is the only one targeting unlabeled PDFs
   • If there are multiple rules in the same policy targeting unlabeled content with the same conditions, consolidate them into a single rule as recommended.
4. Test with simplified rule
   • Create a new test DLP policy scoped to Exchange only, with a single rule:
     • Conditions:
       • File extension is: pdf
       • Recipient domain is: external test domain
     • Action:
       • Deliver the message to the hosted quarantine
   • Verify that DLPRuleMatch events appear in Activity Explorer for this simplified rule.
   • Then add “Content is not labeled” as an additional condition and re-test.
5. Verify attachment scanability
   • Ensure the test PDFs are not password protected and are recognized/scanable by Exchange (not corrupted, not in an unsupported container).
   • If needed, add a temporary rule using “Any email attachment’s content could not be scanned” to confirm whether attachments are being treated as unscannable.
6. Compare with the working tenant
   • Export the DLP policy definition from the working tenant and compare it with the non-working tenant’s policy to confirm there are no subtle differences (extra exceptions, different locations, or different rule ordering).

When to escalate as a backend/tenant anomaly

If all of the following are true:

• The simplified test policy (single rule, basic conditions) does not generate any DLPRuleMatch events.
• The same configuration works in another tenant with the same license.
• There are no overlapping DLP policies or mail flow rules that could bypass or override the behavior.

Then this aligns with a tenant-level or backend anomaly rather than a configuration issue. In that case, the next step is to open a support case with Microsoft, referencing that:

• DLP rules with supported Exchange conditions and actions are not evaluated at all.
• No DLPRuleMatch events are generated in Activity Explorer for messages that clearly meet the rule conditions.

Support can then check the DLP pipeline and policy deployment state for the specific tenant.

---

References:

• Data Loss Prevention policy tip reference for Outlook on the Web
• Data Loss Prevention policy reference
• Data loss prevention Exchange conditions and actions reference
• Use mail flow rules to inspect message attachments in Exchange Online
• Resolve issues that affect DLP policy tips
• Outlook DLP policy tips not working for certain conditions in email body and attachments
• Preventing data spillage for the Australian Government