Testing a DLP Credit Card rule

Mikhail Firsov 1,876 Reputation points
2022-04-20T12:59:00.373+00:00

Hello!

The theory (regarding the Credit Card DLP rule):

https://learn.microsoft.com/en-us/exchange/policy-and-compliance/data-loss-prevention/sensitive-information-types?view=exchserver-2019 and other documents

194735-q1.png

194743-q1-1.png

The practice:
194668-q2.png

In spite of the rule above the credit cards details can be sent without any issue - the rule does not work at all (with or without policy tips, with actions from Notify to Reject, and no incident report is being created), for example, the following email would be successfully sent without mail tips even with the action = Reject:
194659-q4.png

What am I doing wrong here?

Regards,
Michael

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,488 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
1,990 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Kael Yao-MSFT 37,676 Reputation points Microsoft Vendor
    2022-04-21T08:15:47.8+00:00

    Hi @Mikhail Firsov

    I suppose the cause may be your test card number (2594 6547...) isn't matched in the DLP algorithm.
    It didn't trigger the rule in my test as well.
    While using another number for test works for me.

    According to this link: Credit card number
    The card number must also pass the Luhn test.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Mikhail Firsov 1,876 Reputation points
    2022-04-21T08:19:34.617+00:00

    Hi KaelYao-MSFT,

    "The card number must also pass the Luhn test." - I thought about it and tried the real card's number - it didn't work out either :(


  3. Mikhail Firsov 1,876 Reputation points
    2022-04-27T13:31:16.863+00:00

    The result:
    197025-q12.png

    ...and the email with real Visa number can be sent/received with no issues at all... :(((

    Regards,
    Michael