DLP-02: Blocking Bulk Data Exfiltration

Overview

Bulk data exfiltration occurs when large amounts of sensitive data are transferred outside the organization, whether through malicious intent, compromised accounts, or accidental sharing. Blocking data exfiltration protects against:

  • Insider threats stealing company data
  • Compromised accounts used for data theft
  • Accidental mass sharing of confidential information
  • Regulatory violations from unauthorized data transfers
  • Intellectual property theft

This guide covers implementing Data Loss Prevention (DLP) policies in Microsoft 365 to detect and block bulk data exfiltration attempts.

Prerequisites

Required Roles

  • Global Administrator - Full configuration access
  • Compliance Administrator - DLP policy management
  • Security Administrator - Alert configuration and investigation
  • DLP Compliance Management - Policy management

Required Licenses

FeatureLicense Required
Basic DLP (Exchange, SharePoint)Microsoft 365 E3
Advanced DLP featuresMicrosoft 365 E5
Endpoint DLPMicrosoft 365 E5
DLP for TeamsMicrosoft 365 E5
DLP AlertsMicrosoft 365 E5

Required Permissions

  • Access to Microsoft Purview compliance portal
  • Access to Microsoft 365 Defender portal
  • Access to Conditional Access (for session controls)

Prerequisites Checklist

  • DLP-01 (Data classification) is implemented
  • Sensitivity labels are configured
  • Audit logging is enabled
  • Microsoft Defender for Cloud Apps configured (for CASB controls)

Time Estimate

TaskDuration
Planning DLP strategy2-3 hours
Creating DLP policies3-4 hours
Configuring alerts and notifications1-2 hours
Testing in simulation mode1-2 weeks
Enabling enforcement30 minutes
Monitoring and tuningOngoing
Total2-4 weeks

Step-by-Step Instructions

Step 1: Plan Your DLP Strategy

Before creating policies, define your requirements:

Data TypeLocationsExfiltration RiskAction
PII (SSN, etc.)AllHighBlock
Financial dataAllHighBlock
Healthcare dataExchange, SharePointHighBlock
Source codeAllMediumWarn
Intellectual propertyAllHighBlock
Customer dataAllHighBlock

Step 2: Create DLP Policy for Bulk Data Sharing

  1. Navigate to Microsoft Purview: https://compliance.microsoft.com
  2. Go to Data loss prevention > Policies
  3. Click + Create policy

Choose Policy Template

  1. Categories: Custom
  2. Templates: Custom policy
  3. Click Next

Name and Description

  1. Configure:
    • Name: "Block Bulk Sensitive Data Sharing"
    • Description: "Prevents mass sharing of documents containing sensitive information"
  2. Click Next

Choose Locations

  1. Enable locations:

    • Exchange email
    • SharePoint sites
    • OneDrive accounts
    • Teams chat and channel messages
    • Devices (if using Endpoint DLP)
  2. Click Next

Define Policy Settings

  1. Select Create or customize advanced DLP rules
  2. Click Next

Create Advanced Rules

Rule 1: Block Bulk Email with Sensitive Content

  1. Click + Create rule

  2. Configure:

    • Name: "Block bulk email with sensitive data"
    • Description: "Blocks emails with multiple sensitive items"
  3. Conditions:

    • Content contains > Sensitive info types:
      • Credit Card Number (High confidence)
      • Social Security Number (High confidence)
      • Bank Account Number (High confidence)
    • Instance count: Greater than 10
  4. Actions:

    • Restrict access or encrypt the content in Microsoft 365 locations
    • Block everyone
  5. User notifications:

    • Enable
    • Notify users with policy tip
    • Email notification to user
  6. User overrides: Disable (for bulk data, no override)

  7. Incident reports:

    • Send alert to admins
    • Severity: High
    • Send alert when volume threshold reached
  8. Click Save

Rule 2: Block Bulk SharePoint/OneDrive Sharing

  1. Click + Create rule

  2. Configure:

    • Name: "Block bulk file sharing"
  3. Conditions:

    • Content contains > Sensitive info types (as above)
    • Instance count: Greater than 5
    • Content is shared from Microsoft 365 > With people outside my organization
  4. Actions:

    • Block access for external users
    • Block further sharing
  5. User notifications: Enable with policy tip

  6. Click Save

Rule 3: Block Mass Download Detection

  1. Click + Create rule

  2. Configure:

    • Name: "Alert on mass download"
  3. Conditions:

    • Content contains > Sensitivity labels:
      • Confidential
      • Highly Confidential
    • Document accessed or downloaded (use activity-based conditions if available)
  4. Actions:

    • Send incident reports (alert only - downloads harder to block)
    • High severity
  5. Click Save

Complete Policy Configuration

  1. Click Next through remaining screens
  2. Policy mode: Test it out first (simulation)
  3. Click Submit

Step 3: Create Endpoint DLP Policy

Block data exfiltration at the endpoint:

  1. Navigate to Data loss prevention > Policies
  2. Click + Create policy
  3. Select Custom > Custom policy

Configure Endpoint DLP

  1. Name: "Endpoint - Block USB and Cloud Upload"

  2. Locations: Select Devices

  3. Click Next

  4. Create rules for:

Rule: Block Copy to USB

Conditions:
- Content contains sensitive information types
- File activity: Copy to USB removable media

Actions:
- Block the activity
- Audit

Exceptions:
- None (or specific approved USB devices)

Rule: Block Cloud Service Upload

Conditions:
- Content contains sensitivity labels: Confidential, Highly Confidential
- File activity: Upload to cloud service

Actions:
- Block
- Warn with override (optional)
- Audit

Services to monitor:
- Dropbox
- Google Drive
- Personal OneDrive
- Other cloud storage

Rule: Block Bluetooth Transfer

Conditions:
- Content contains sensitive data
- File activity: Transfer via Bluetooth

Actions:
- Block
- Audit
  1. Complete wizard and enable in test mode

Step 4: Configure Microsoft Defender for Cloud Apps Policies

For advanced session controls:

  1. Navigate to Microsoft 365 Defender: https://security.microsoft.com
  2. Go to Cloud Apps > Policies > Policy management

Session Policy: Block Bulk Downloads

  1. Click Create policy > Session policy

  2. Configure:

    • Policy name: "Block Bulk Downloads"
    • Session control type: Control file download (with inspection)
  3. Activity source:

    • App equals: Microsoft SharePoint Online, Microsoft OneDrive
    • Activity type equals: Download
  4. Activity filter:

    • Files matching: Sensitivity label = Confidential, Highly Confidential
    • Or: File count in session > 50
  5. Actions:

    • Block download
    • Notify user
  6. Click Create

Access Policy: Limit External Sharing

  1. Create new Access policy:

    • Name: "Limit External Sharing Sessions"
    • Session type: Conditional Access App Control
  2. Conditions:

    • App: SharePoint, OneDrive
    • Device: Non-compliant or unmanaged
  3. Actions:

    • Block external sharing
    • Allow view only (optional)

Step 5: Configure Conditional Access Session Controls

Enable session controls for Cloud Apps:

  1. Navigate to Microsoft Entra admin center > Protection > Conditional Access
  2. Create or edit a policy:

Configure Session Controls

  1. Name: "CA-DLP-SessionControl"

  2. Users: All users (or high-risk users)

  3. Cloud apps:

    • Microsoft SharePoint Online
    • Microsoft Exchange Online
    • Microsoft Teams
  4. Conditions:

    • Device platforms: Unmanaged
    • Or: Locations: Outside trusted locations
  5. Session:

    • Use Conditional Access App Control
    • Use custom policy (from Defender for Cloud Apps)
  6. Enable policy

Step 6: Configure Alert Thresholds

Set up alerts for exfiltration attempts:

  1. Navigate to Microsoft Purview > Data loss prevention > Alerts
  2. Review alert configuration in each DLP policy

Configure Volume-Based Alerts

For each DLP policy, configure:

Threshold TypeValueAlert
Single event (High severity)1 matchImmediate
Volume in 24 hours10+ matchesHigh priority
Volume in 1 hour50+ matchesCritical (potential breach)

Step 7: Create Activity Policies for Anomalous Behavior

  1. Navigate to Cloud Apps > Policies

  2. Create Activity policy:

    • Name: "Anomalous Mass Download"
    • Policy type: Activity policy
  3. Activity filters:

    • Activity type: Download file
    • App: SharePoint, OneDrive
    • Repeated activity: Yes
      • Minimum activities: 100
      • Within: 1 hour
  4. Alerts:

    • High severity
    • Immediate notification
  5. Governance actions:

    • Suspend user (after investigation)
    • Require sign-in again

Step 8: Configure Alerting and Notifications

Set up comprehensive alerting:

Email Notifications

  1. Navigate to Microsoft Purview > Data loss prevention > Policies
  2. Edit each policy
  3. Under Incident reports, configure:

Microsoft Teams Notifications

  1. Navigate to Cloud Apps > Settings > Governance log
  2. Configure Teams channel notifications
  3. Create channel for DLP alerts

SIEM Integration

For enterprise SOC integration:

  1. Navigate to Microsoft 365 Defender > Settings > Streaming API
  2. Configure export to:
    • Azure Event Hub
    • Azure Sentinel
    • Third-party SIEM

Step 9: Test and Validate Policies

Before enforcement:

  1. Create test scenarios:

    • Bulk email with fake credit card numbers
    • Large file share to external user
    • Mass download simulation
  2. Run in simulation mode:

    • Review "What if" in policy simulation
    • Check alerts generated
    • Validate no false positives
  3. Review simulation results:

    • Navigate to DLP > Policy matches
    • Review each match
    • Tune thresholds if needed
  4. Test user experience:

    • Verify policy tips appear
    • Test override process (if enabled)
    • Confirm notification emails received

Step 10: Enable Enforcement

After successful testing:

  1. Navigate to Data loss prevention > Policies
  2. Edit each policy
  3. Change Policy mode to Turn it on right away
  4. Click Submit

Recommended Rollout:

  • Week 1-2: Simulation mode
  • Week 3: Warn mode (policy tips, no blocking)
  • Week 4+: Full enforcement

Verification Checklist

After implementing exfiltration protection, verify:

  • DLP policies created for all data types
  • Policies applied to all locations (email, SharePoint, OneDrive, Teams)
  • Endpoint DLP policies enabled (if applicable)
  • Cloud Apps session policies configured
  • Conditional Access session controls enabled
  • Alert thresholds configured appropriately
  • Security team receiving notifications
  • Test scenarios blocked successfully
  • User policy tips displaying correctly
  • Simulation mode completed without issues
  • Documentation updated with policies

Troubleshooting

Issue: DLP Policy Not Triggering

Cause: Policy conditions not matched or not enabled.

Solution:

  1. Verify policy is enabled (not in simulation)
  2. Check content contains expected sensitive data
  3. Verify instance count thresholds
  4. Check location is in scope
  5. Wait for policy propagation (up to 1 hour)

Issue: Too Many False Positives

Cause: Overly sensitive patterns or low thresholds.

Solution:

  1. Increase instance count thresholds
  2. Use higher confidence levels
  3. Add exceptions for known safe content
  4. Use supporting elements (keywords)
  5. Create allowlist for specific users/groups

Issue: Users Bypassing DLP

Cause: Users finding workarounds.

Solution:

  1. Enable Endpoint DLP for device-level control
  2. Block personal cloud storage via Cloud Apps
  3. Disable USB on managed devices
  4. Monitor for anomalous behavior
  5. Educate users on policies

Issue: Alerts Overwhelming Security Team

Cause: Thresholds too low or too many policies.

Solution:

  1. Increase volume thresholds
  2. Consolidate similar policies
  3. Use aggregated alerts
  4. Implement tiered alerting
  5. Automate initial triage

Issue: Endpoint DLP Not Working

Cause: Agent or configuration issue.

Solution:

  1. Verify Defender for Endpoint is deployed
  2. Check device is onboarded
  3. Verify DLP settings in Defender settings
  4. Check for conflicting policies
  5. Review Defender logs on device

Cost Considerations

License Requirements

FeatureLicenseCost (approx.)
Basic DLP (Exchange, SharePoint)Microsoft 365 E3$36/user/month
Full DLP + Endpoint DLPMicrosoft 365 E5$57/user/month
E5 Compliance add-onE5 Compliance$12/user/month
Cloud App Security (standalone)MDCA$3.50/user/month

Storage and Processing Costs

DLP processing is included in license costs. No additional Azure charges for standard DLP.

Cost Optimization

  1. Prioritize high-risk users:

    • E5 for users handling sensitive data
    • E3 for general users
  2. Use built-in features:

    • Leverage included capabilities before add-ons
    • Use policy templates
  3. Efficient policy design:

    • Combine conditions in fewer policies
    • Avoid overlapping policies

ROI Calculation

MetricWithout DLPWith DLP
Data breach riskHighLow
Average breach cost$4.45MSignificantly reduced
Compliance finesPotentialMitigated
Insider threat detectionReactiveProactive

Best Practices

  1. Layer your defenses:

    • DLP policies + Endpoint DLP + Cloud Apps
    • Multiple detection mechanisms
    • Defense in depth approach
  2. Start with visibility:

    • Begin in simulation mode
    • Understand data flows
    • Identify normal patterns
  3. Tune before enforcement:

    • Address false positives in simulation
    • Adjust thresholds based on baseline
    • Get stakeholder buy-in
  4. Communicate with users:

    • Explain why policies exist
    • Provide clear policy tips
    • Offer legitimate alternatives
  5. Monitor continuously:

    • Review alerts daily
    • Track policy effectiveness
    • Update for new threats
  6. Document exceptions:

    • Business justification required
    • Time-limited exceptions
    • Regular review

Related Controls

  • DLP-01: Enabling sensitive data classification
  • LOG-01: Audit log retention
  • LOG-05: Anomaly detection
  • GOV-04: Incident response procedures

Revision History

DateVersionAuthorChanges
2025-01-071.0TrueConfigInitial release