Understanding Exchange Online Data Loss Prevention


This article describes what Exchange Online Data Loss Prevention (DLP) is and how it works.


Exchange Online DLP is a built-in security feature of the Exchange Online server that scans your draft email composed in Outlook desktop client and Outlook Web Application (OWA) for social security, debit, and credit card numbers in combination with keywords such as "CC" or "SSN". These items are considered sensitive data and must be encrypted at rest and in transit, which means at all times: before, during, and after it is sent. Sending this information in the body of an email unencrypted is against university standards. For a full list of information that is considered sensitive, see this support page.

If you need to send sensitive information via email, you have several options

Please see the Protecting Sensitive Data page for more information.

DLP Policy Warning Content

If the DLP detects sensitive content, it displays the following message at the top of the email:

Policy Tip: This item appears to contain the following sensitive information: U.S. Social Security Number (SSN)[and/or Credit Card Number if applicable]. Please be aware of the Virginia Tech sensitive data protection policy at https://it.vt.edu/content/dam/it_vt_edu/policies/Standard-for-High_Risk_Digital_Data-Protection.pdf.

Image of the above instructions

If you hover over the words Policy Tip, you will see an additional popup with the following message. Clicking the Report button sets a flag on the information that can be reviewed later.

This message appears to contain the following sensitive information
- Credit Card Number (if detected)
- U.S. Social Security Number (SSN) (if detected)

If you don't think this information is sensitive, please report.

Image of the above instructions

The DLP policy does NOT prevent anyone from sending an email. It simply warns the sender that the email may contain sensitive information. If the sender still sends the message, they will receive an email containing the original message with the same Policy Tip.

Image of the above instructions