All Blog Posts
January 3, 2019

Detecting and Mitigating Information Leaks with Office 365 Message Encryption

Posted By
aureus tech systems

When evaluating enterprise digital workplace solutions, the most common concerns of IT leaders are security and compliance. Given that email is one of the top productivity apps in any enterprise, sensitive data ends up flowing through the email system, and sometimes it falls into the wrong hands. In the event of accidental or malicious data sharing, the seamless integration of Office 365 Message Encryption with your data loss prevention (DLP) policies will allow you to quickly identify the source of the leak and mitigate the consequences. Perhaps more importantly, however, this security and compliance feature of Office 365 Enterprise E3 is designed to prevent the vast majority of leaks (i.e., those of the unintentional variety) from occurring in the first place. At the same time, it makes email encryption a breeze to use for both senders and recipients.

What Is Office 365 Message Encryption?

Over the past year or so, Microsoft has been investing heavily in the information protection space. The focus of these investments has been and continues to be the discovery and classification of data.  After classifying the data, the goal is to label it and then protect it if necessary. Within Office 365, there are multiple workloads that adhere to this "classification, labeling, and protection" scheme, otherwise known as CLP. Email protection is one such workload, but the challenge with email is that there's no way to control where your users are sending the data. They could be sending information to people inside of your organization or outside of it—to your vendors, to your contractors, or to entities with social IDs. Using the capabilities of Azure Information Protection, Office 365 Message Encryption meets this challenge by automatically classifying, labeling, and protecting sensitive data in email messages in accordance with one or more DLP policies, as well as by enabling the recipients of those messages to read and reply to them without needing an Office 365 E3 license.

When sending encrypted email, there's typically a burden on the recipient to have a specific app or to manually deal with public and private keys, a process which many people find confusing and laborious. The inconvenience factor steers people away from taking appropriate data security measures, so rather than trying to change human nature, Office 365 Message Encryption allows users to continue taking the path of least resistance while reducing your company's risk exposure. When messages are sent this way, the recipients will be able to read them on any device, platform, app, etc. Even if they're using Gmail, Yahoo! Mail, or some other non-Microsoft product or service, they can still easily consume the messages. If you wish, you can set restrictions on copying and forwarding.

How Does Office 365 Message Encryption Work?

To understand how Office 365 Message Encryption works, consider the following workplace scenario. Suppose that your company has hired an outside marketing consultant, and you want to send the consultant's W-9 form as an email attachment to the firm that handles your payroll. As soon as you attach a document, Office 365 will scan it for sensitive data and, if detected, a Policy Tip will appear above the message editor that says, "This email contains sensitive information and will be encrypted." To find out what type of data triggered the warning, such as a Social Security Number (SSN) or other personally identifiable information (PII), you can click on the "Learn more" link in the Policy Tip. The details about the flagged data will be followed by a message stating, "If you don't think this information is sensitive, please click Report." Your feedback regarding the labeling of certain data as sensitive will help improve the system's accuracy.

Now, what happens on the other end when the payroll firm receives your message? The firm will get an email from you that says,  "[Your Name or Email] has sent you a protected message." They'll click the "Read secure message" button, which will send them to an authentication portal. If the message was sent to a Gmail address, for example, then the recipient will be asked to "Sign in with Google" and, upon authentication, will be redirected to a secure page hosted by Office 365 where the message can be read and responded to securely. (Incidentally, the protected message will preserve your company's branding, if any. In other words, it's possible to customize the appearance of your encrypted emails.)

Google, Outlook, Yahoo! and other email services have built-in authentication, but if the recipient is using a service that is not represented, then there's always the option to sign in with a one-time passcode. The passcode will be sent to the same email address to which the original encrypted message was sent, and it will expire after 15 minutes. While this does add an extra step for the recipient, it's a lot easier than fussing with cryptographic keys or some other cumbersome approach to encrypted communication. In fact, it's not much different than being asked to confirm an email address after signing up for a new online account, which most people are used to doing by now.

Enforcing Security and Compliance

While Office 365 makes encrypted email communication relatively painless, how do you quantify its security features? How can you prove that Message Encryption is doing its job? Office 365's reporting functionality will let you see how many email messages were encrypted and how they were encrypted—either manually by the sender or automatically by the application based on your DLP policies. You'll also be able to see a breakdown of the Top Encryption Recipients (your internal email, Gmail, Hotmail, etc.). To view the reports, go to the Security & Compliance center within Office 365 and click on the Message Encryption Report.

Office 365 Message Encryption is more than just a few pretty graphs, though. When combined with DLP policies, it can be used as a tool for detecting and investigating potential information leaks. Beyond looking at the Message Encryption Report, you can look at the DLP Policy Matches. For instance, you might notice a spike in the number of email messages that are getting marked with a DLP policy violation. To see the list of DLP incidents, click on "View details table" and sort it by Date. From there, it should be apparent who the culprit is and the kind of data that might have been compromised.

Until recently, Office 365 administrators did not have the tools to do anything besides observe the occurrence of email security events and identify the offending users. The latest iteration of Office 365 Message Encryption supports the ability to revoke emails via a simple PowerShell commandlet. When the unauthorized recipient of a protected email message attempts to access it, he or she will see a web page that says, "The message has been revoked by the sender."


Due to the nature of email and the Internet, it's inevitable that employees will release confidential material into the wild. With Office 365 Message Encryption and effective DLP policies, not only can you investigate the data exfiltration and figure out what's going on, you can also quickly remediate the situation. Equally valuable is the application's ability to encourage and enforce compliance by alerting users that they are about to share sensitive information and by automating its protection on both ends of the wire.