Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

About Exchange Online Inline Email DLP

Inline Email DLP extends Skyhigh CASB DLP to the messages sent from your organization's mailboxes. Exchange Online remediation actions occur in real-time, so sensitive data never leaves your organization through Exchange Online email messages.

NOTE: Skyhigh Security supports Exchange Online Inline Email DLP only for outgoing emails.

 

Prerequisites

To configure inline DLP, you need the following:

  • Skyhigh CASB tenant
  • Office 365 account with global admin permissions
  • Exchange Online email account

IMPORTANT: Skyhigh CASB supports only User Mailboxes, ideally from the Service account that is integrated. Shared Mailboxes are not supported. 

 

Make sure that you've confirmed that you can send and receive emails before proceeding.

Known Behavior

When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users’ email addresses via To/From/ Cc/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn’t show the information of the Bcc recipients.

A known issue has been identified when an email contains multiple events, such as Bcc recipients or internal and external recipients, and an inline policy is configured with a Delete response action, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the Bcc recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the Bcc recipients’ details.

Microsoft 365 License 

Skyhigh CASB for Exchange Online requires a Microsoft 365 E3 license. For more information, see microsoft.com

Components 

The following components are required for this feature:

  • Exchange Online mail routing (connectors and rules)
  • Skyhigh CASB Gateway (mail is routed from O365 to Skyhigh CASB Gateway proxy)
  • Skyhigh CASB Gateway connection to Exchange Online API for quarantine and delete remediation actions

Email Flow 

Office 365 is configured to send messages through Skyhigh CASB Gateway so it can inspect the contents of the message. Skyhigh CASB Gateway acts as an SMTP proxy and as such never stores or queues messages. Messages are processed in real-time and require an active inbound and outbound SMTP session to proxy both legs.

The email flow is as follows:

  1. A user in your organization sends a message.
  2. Based on mail routing rules configured in Exchange Online, messages are forwarded to the Skyhigh CASB Gateway SMTP server. 
  3. The Skyhigh CASB Gateway SMTP server proxies the connection from Exchange Online server (2), performs DLP inspection, and proxies back the connection to Exchange Online server (4).
  4. The message is received by Exchange Online.
  5. Exchange Online forwards the message onto the original destination(s).

basic_flow.png

NOTE:

When Inline Email DLP users send an email, there is a time-out of 55 seconds to receive a response from Skyhigh CASB Gateway SMTP server. If the DLP inspection or policy evaluation is not finished within 55 seconds, Skyhigh CASB Gateway SMTP server uses the fail open process which relays the email back to Exchange Online without waiting for the policy evaluation to finish.

This time out can be over-ridden by allowing the policy evaluation to continue in the backend and cache the results. If Skyhigh CASB Gateway SMTP server processes the policy evaluation for more than 55 seconds, it allows the connection to time out instead of using the fail open process. Skyhigh CASB Gateway SMTP server continues policy evaluation in the background, and policy evaluation results are cached temporarily. When an email is re-sent after the time out, Skyhigh CASB Gateway SMTP server inspects the cache to see if the policy evaluation results are still available and then takes the appropriate action (Allow, Block, Quarantine) on the email. The maximum time out if the policy evaluation result is not yet ready (still processing) is set to 30 minutes by default.

Message Transport Error Handling 

As the Skyhigh CASB Gateway acts as an SMTP proxy, it never accepts the SMTP connection unless the outbound leg can be established. Skyhigh CASB Gateway never queues or stores messages so therefore both legs of the connection must be up for messages to flow. This ensures that any issues with connections are handled by Exchange Online. Should a connection fail the sending Exchange Online will re-queue the message and try again.

Error messages received from the receiving SMTP gateway are relayed back to the sending SMTP gateway so the sending gateway can re-queue the message for transport.

error_transport.png

Remediation Options 

Because Inline DLP is done in real-time, it requires the API-based Skyhigh CASB Gateway integration. Skyhigh CASB Gateway ensures that emails are blocked, deleted, or quarantined before they ever leave a sender's email account. For example, if you set up a DLP policy that deletes emails containing sensitive keywords, any message containing a specified word is deleted from a sender's mailbox. 

With Skyhigh CASB Gateway, you can choose from the following options:

  • Block. When an email is blocked, the email remains in the sender's Sent folder, but the intended recipient does not receive the message. The Skyhigh CASB admin does not receive a copy of the email in the Quarantined folder. The email does not leave the sender's account.
  • Delete. When an email is deleted, the email is removed from the sender's Sent folder, and the intended recipient does not get the email. The Skyhigh CASB admin does not receive the email in the Quarantined folder. 
  • Quarantine. When an email is quarantined, the Skyhigh CASB Admin receives the email in the Quarantined folder. Emails are quarantined in real-time, via API.
  • Notifications. You can choose to notify users and/or Skyhigh CASB admins via email when messages are blocked, deleted, or quarantined.
  • Block Failed. Block Failed indicates that no modifications are made to the incident response because the email has left the sender’s account, the block has failed, and the email has reached the recipients. 
  • Add X Header Failed. Add X Header Failed indicates that no header is added. No modifications are made to the incident response because the block has failed and the email has reached the recipients. 
  • Block Failed and Deleted. Block Failed and Deleted indicates that the block has failed, and the email has reached the recipients.
  • Block Failed and Delete Failed. Block Failed and Delete Failed indicates that the block has failed, and the email has reached the recipients. 
  • Block Failed and Quarantined. Block Failed and Quarantined indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox is successful for one or more items. 
  • Block Failed and Quarantine Failed. Block Failed and Quarantine Failed indicates that the block has failed, and the email has reached the recipients. The Quarantine action performed on the sender’s sent items and the recipient's inbox has failed.
  • Was this article helpful?