Netskope Global Technical Success (GTS)
Utilizing Netskope DLP to Block/Detect Sensitive Email Sharing in O365
Netskope Cloud Version - 119
Objective
Block sharing of sensitive email using Netskope Email DLP Solution with O365 Email Service
Prerequisite
Netskope Email DLP for O365 License is required
Context
This article describes how to block sensitive emails with O365 Email Service along with required SMTP Configurations
Do You Know?
- When you configure Netskope SMTP Proxy with Microsoft O365 Exchange, all outgoing emails from Microsoft O365 Exchange are sent to Netskope SMTP Proxy for policy evaluation.
- If the Netskope SMTP Proxy detects a violation of the DLP policy, it inserts an SMTP header (for a Block action, the SMTP header is X-Netskope-Action: Block) and forwards the message back to Exchange for further processing based on the injected SMTP header.
- Exchange will read the injected SMTP header and execute the corresponding action based on its value.
Configuration
Step 1: Ensure that Inbound & Outbound connector is correctly configured in Microsoft Exchange following the below articles:
- Configure Netskope SMTP Proxy with Microsoft O365 Exchange - Link
- Send Traffic from Netskope back to Exchange - Link
Step 2: You also need to ensure that below Transport rule is configured in Microsoft Exchange so that email traffic that has been inspected by Netskope and sent to Exchange is not resent to Netskope causing an infinite loop. The rule checks for 'x-netskope-inspected: true' in the SMTP header.
To configure the same: Login to your Microsoft Exchange Portal.
- Go to Mail Flow > Rules > Add New Rule
- Add the Rule like below with message header as X-Netskope-Inspected: true
Step 3: Now configure a Transport Rule in O365 Exchange for Blocking in case of DLP violation and notify the end user.
To configure the same: Login to your Microsoft Exchange Portal.
Go to Mail Flow > Rules > Add New Rule
Add the Rule like below with message header as X-Netskope-Action: Block
Step 4: Now configure the DLP Policy in Netskope Tenant UI. Here, choose the Action as ‘Add SMTP Header’ and specify the header value as X-Netskope-Action: Block
Path: Netskope Tenant UI >>> Policies >>> Real-time Protection
For this Use Case, DLP-PII Predefined DLP Profile is used
Verification
Attempt to send an email containing PII data to an external domain recipient. The email should be blocked by O365 based on the injected SMTP header, and the user should receive a notification email with the reason labeled as 'DLP Rejection'.
Verify the DLP violated Incident at Netskope Tenant UI. Note that the action taken by the Netskope SMTP Proxy is 'add_headers' rather than 'Block,' as Netskope only injects the header, with further actions being handled by O365.
Path: Netskope Tenant UI >>> Incidents >>> DLP
Terms and Condition
- All documented information undergoes testing and verification to ensure accuracy.
- In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.