DLP-02: Blocking Bulk Data Exfiltration
Overview
Bulk data exfiltration occurs when large amounts of sensitive data are transferred outside the organization, whether through malicious intent, compromised accounts, or accidental sharing. Blocking data exfiltration protects against:
- Insider threats stealing company data
- Compromised accounts used for data theft
- Accidental mass sharing of confidential information
- Regulatory violations from unauthorized data transfers
- Intellectual property theft
This guide covers implementing Data Loss Prevention (DLP) policies in Microsoft 365 to detect and block bulk data exfiltration attempts.
Prerequisites
Required Roles
- Global Administrator - Full configuration access
- Compliance Administrator - DLP policy management
- Security Administrator - Alert configuration and investigation
- DLP Compliance Management - Policy management
Required Licenses
| Feature | License Required |
|---|---|
| Basic DLP (Exchange, SharePoint) | Microsoft 365 E3 |
| Advanced DLP features | Microsoft 365 E5 |
| Endpoint DLP | Microsoft 365 E5 |
| DLP for Teams | Microsoft 365 E5 |
| DLP Alerts | Microsoft 365 E5 |
Required Permissions
- Access to Microsoft Purview compliance portal
- Access to Microsoft 365 Defender portal
- Access to Conditional Access (for session controls)
Prerequisites Checklist
- DLP-01 (Data classification) is implemented
- Sensitivity labels are configured
- Audit logging is enabled
- Microsoft Defender for Cloud Apps configured (for CASB controls)
Time Estimate
| Task | Duration |
|---|---|
| Planning DLP strategy | 2-3 hours |
| Creating DLP policies | 3-4 hours |
| Configuring alerts and notifications | 1-2 hours |
| Testing in simulation mode | 1-2 weeks |
| Enabling enforcement | 30 minutes |
| Monitoring and tuning | Ongoing |
| Total | 2-4 weeks |
Step-by-Step Instructions
Step 1: Plan Your DLP Strategy
Before creating policies, define your requirements:
| Data Type | Locations | Exfiltration Risk | Action |
|---|---|---|---|
| PII (SSN, etc.) | All | High | Block |
| Financial data | All | High | Block |
| Healthcare data | Exchange, SharePoint | High | Block |
| Source code | All | Medium | Warn |
| Intellectual property | All | High | Block |
| Customer data | All | High | Block |
Step 2: Create DLP Policy for Bulk Data Sharing
- Navigate to Microsoft Purview: https://compliance.microsoft.com
- Go to Data loss prevention > Policies
- Click + Create policy
Choose Policy Template
- Categories: Custom
- Templates: Custom policy
- Click Next
Name and Description
- Configure:
- Name: "Block Bulk Sensitive Data Sharing"
- Description: "Prevents mass sharing of documents containing sensitive information"
- Click Next
Choose Locations
-
Enable locations:
- Exchange email
- SharePoint sites
- OneDrive accounts
- Teams chat and channel messages
- Devices (if using Endpoint DLP)
-
Click Next
Define Policy Settings
- Select Create or customize advanced DLP rules
- Click Next
Create Advanced Rules
Rule 1: Block Bulk Email with Sensitive Content
-
Click + Create rule
-
Configure:
- Name: "Block bulk email with sensitive data"
- Description: "Blocks emails with multiple sensitive items"
-
Conditions:
- Content contains > Sensitive info types:
- Credit Card Number (High confidence)
- Social Security Number (High confidence)
- Bank Account Number (High confidence)
- Instance count: Greater than 10
- Content contains > Sensitive info types:
-
Actions:
- Restrict access or encrypt the content in Microsoft 365 locations
- Block everyone
-
User notifications:
- Enable
- Notify users with policy tip
- Email notification to user
-
User overrides: Disable (for bulk data, no override)
-
Incident reports:
- Send alert to admins
- Severity: High
- Send alert when volume threshold reached
-
Click Save
Rule 2: Block Bulk SharePoint/OneDrive Sharing
-
Click + Create rule
-
Configure:
- Name: "Block bulk file sharing"
-
Conditions:
- Content contains > Sensitive info types (as above)
- Instance count: Greater than 5
- Content is shared from Microsoft 365 > With people outside my organization
-
Actions:
- Block access for external users
- Block further sharing
-
User notifications: Enable with policy tip
-
Click Save
Rule 3: Block Mass Download Detection
-
Click + Create rule
-
Configure:
- Name: "Alert on mass download"
-
Conditions:
- Content contains > Sensitivity labels:
- Confidential
- Highly Confidential
- Document accessed or downloaded (use activity-based conditions if available)
- Content contains > Sensitivity labels:
-
Actions:
- Send incident reports (alert only - downloads harder to block)
- High severity
-
Click Save
Complete Policy Configuration
- Click Next through remaining screens
- Policy mode: Test it out first (simulation)
- Click Submit
Step 3: Create Endpoint DLP Policy
Block data exfiltration at the endpoint:
- Navigate to Data loss prevention > Policies
- Click + Create policy
- Select Custom > Custom policy
Configure Endpoint DLP
-
Name: "Endpoint - Block USB and Cloud Upload"
-
Locations: Select Devices
-
Click Next
-
Create rules for:
Rule: Block Copy to USB
Conditions:
- Content contains sensitive information types
- File activity: Copy to USB removable media
Actions:
- Block the activity
- Audit
Exceptions:
- None (or specific approved USB devices)
Rule: Block Cloud Service Upload
Conditions:
- Content contains sensitivity labels: Confidential, Highly Confidential
- File activity: Upload to cloud service
Actions:
- Block
- Warn with override (optional)
- Audit
Services to monitor:
- Dropbox
- Google Drive
- Personal OneDrive
- Other cloud storage
Rule: Block Bluetooth Transfer
Conditions:
- Content contains sensitive data
- File activity: Transfer via Bluetooth
Actions:
- Block
- Audit
- Complete wizard and enable in test mode
Step 4: Configure Microsoft Defender for Cloud Apps Policies
For advanced session controls:
- Navigate to Microsoft 365 Defender: https://security.microsoft.com
- Go to Cloud Apps > Policies > Policy management
Session Policy: Block Bulk Downloads
-
Click Create policy > Session policy
-
Configure:
- Policy name: "Block Bulk Downloads"
- Session control type: Control file download (with inspection)
-
Activity source:
- App equals: Microsoft SharePoint Online, Microsoft OneDrive
- Activity type equals: Download
-
Activity filter:
- Files matching: Sensitivity label = Confidential, Highly Confidential
- Or: File count in session > 50
-
Actions:
- Block download
- Notify user
-
Click Create
Access Policy: Limit External Sharing
-
Create new Access policy:
- Name: "Limit External Sharing Sessions"
- Session type: Conditional Access App Control
-
Conditions:
- App: SharePoint, OneDrive
- Device: Non-compliant or unmanaged
-
Actions:
- Block external sharing
- Allow view only (optional)
Step 5: Configure Conditional Access Session Controls
Enable session controls for Cloud Apps:
- Navigate to Microsoft Entra admin center > Protection > Conditional Access
- Create or edit a policy:
Configure Session Controls
-
Name: "CA-DLP-SessionControl"
-
Users: All users (or high-risk users)
-
Cloud apps:
- Microsoft SharePoint Online
- Microsoft Exchange Online
- Microsoft Teams
-
Conditions:
- Device platforms: Unmanaged
- Or: Locations: Outside trusted locations
-
Session:
- Use Conditional Access App Control
- Use custom policy (from Defender for Cloud Apps)
-
Enable policy
Step 6: Configure Alert Thresholds
Set up alerts for exfiltration attempts:
- Navigate to Microsoft Purview > Data loss prevention > Alerts
- Review alert configuration in each DLP policy
Configure Volume-Based Alerts
For each DLP policy, configure:
| Threshold Type | Value | Alert |
|---|---|---|
| Single event (High severity) | 1 match | Immediate |
| Volume in 24 hours | 10+ matches | High priority |
| Volume in 1 hour | 50+ matches | Critical (potential breach) |
Step 7: Create Activity Policies for Anomalous Behavior
-
Navigate to Cloud Apps > Policies
-
Create Activity policy:
- Name: "Anomalous Mass Download"
- Policy type: Activity policy
-
Activity filters:
- Activity type: Download file
- App: SharePoint, OneDrive
- Repeated activity: Yes
- Minimum activities: 100
- Within: 1 hour
-
Alerts:
- High severity
- Immediate notification
-
Governance actions:
- Suspend user (after investigation)
- Require sign-in again
Step 8: Configure Alerting and Notifications
Set up comprehensive alerting:
Email Notifications
- Navigate to Microsoft Purview > Data loss prevention > Policies
- Edit each policy
- Under Incident reports, configure:
- Email: security-team@yourcompany.com
- Severity thresholds
- Include matched content: Yes (for investigation)
Microsoft Teams Notifications
- Navigate to Cloud Apps > Settings > Governance log
- Configure Teams channel notifications
- Create channel for DLP alerts
SIEM Integration
For enterprise SOC integration:
- Navigate to Microsoft 365 Defender > Settings > Streaming API
- Configure export to:
- Azure Event Hub
- Azure Sentinel
- Third-party SIEM
Step 9: Test and Validate Policies
Before enforcement:
-
Create test scenarios:
- Bulk email with fake credit card numbers
- Large file share to external user
- Mass download simulation
-
Run in simulation mode:
- Review "What if" in policy simulation
- Check alerts generated
- Validate no false positives
-
Review simulation results:
- Navigate to DLP > Policy matches
- Review each match
- Tune thresholds if needed
-
Test user experience:
- Verify policy tips appear
- Test override process (if enabled)
- Confirm notification emails received
Step 10: Enable Enforcement
After successful testing:
- Navigate to Data loss prevention > Policies
- Edit each policy
- Change Policy mode to Turn it on right away
- Click Submit
Recommended Rollout:
- Week 1-2: Simulation mode
- Week 3: Warn mode (policy tips, no blocking)
- Week 4+: Full enforcement
Verification Checklist
After implementing exfiltration protection, verify:
- DLP policies created for all data types
- Policies applied to all locations (email, SharePoint, OneDrive, Teams)
- Endpoint DLP policies enabled (if applicable)
- Cloud Apps session policies configured
- Conditional Access session controls enabled
- Alert thresholds configured appropriately
- Security team receiving notifications
- Test scenarios blocked successfully
- User policy tips displaying correctly
- Simulation mode completed without issues
- Documentation updated with policies
Troubleshooting
Issue: DLP Policy Not Triggering
Cause: Policy conditions not matched or not enabled.
Solution:
- Verify policy is enabled (not in simulation)
- Check content contains expected sensitive data
- Verify instance count thresholds
- Check location is in scope
- Wait for policy propagation (up to 1 hour)
Issue: Too Many False Positives
Cause: Overly sensitive patterns or low thresholds.
Solution:
- Increase instance count thresholds
- Use higher confidence levels
- Add exceptions for known safe content
- Use supporting elements (keywords)
- Create allowlist for specific users/groups
Issue: Users Bypassing DLP
Cause: Users finding workarounds.
Solution:
- Enable Endpoint DLP for device-level control
- Block personal cloud storage via Cloud Apps
- Disable USB on managed devices
- Monitor for anomalous behavior
- Educate users on policies
Issue: Alerts Overwhelming Security Team
Cause: Thresholds too low or too many policies.
Solution:
- Increase volume thresholds
- Consolidate similar policies
- Use aggregated alerts
- Implement tiered alerting
- Automate initial triage
Issue: Endpoint DLP Not Working
Cause: Agent or configuration issue.
Solution:
- Verify Defender for Endpoint is deployed
- Check device is onboarded
- Verify DLP settings in Defender settings
- Check for conflicting policies
- Review Defender logs on device
Cost Considerations
License Requirements
| Feature | License | Cost (approx.) |
|---|---|---|
| Basic DLP (Exchange, SharePoint) | Microsoft 365 E3 | $36/user/month |
| Full DLP + Endpoint DLP | Microsoft 365 E5 | $57/user/month |
| E5 Compliance add-on | E5 Compliance | $12/user/month |
| Cloud App Security (standalone) | MDCA | $3.50/user/month |
Storage and Processing Costs
DLP processing is included in license costs. No additional Azure charges for standard DLP.
Cost Optimization
-
Prioritize high-risk users:
- E5 for users handling sensitive data
- E3 for general users
-
Use built-in features:
- Leverage included capabilities before add-ons
- Use policy templates
-
Efficient policy design:
- Combine conditions in fewer policies
- Avoid overlapping policies
ROI Calculation
| Metric | Without DLP | With DLP |
|---|---|---|
| Data breach risk | High | Low |
| Average breach cost | $4.45M | Significantly reduced |
| Compliance fines | Potential | Mitigated |
| Insider threat detection | Reactive | Proactive |
Best Practices
-
Layer your defenses:
- DLP policies + Endpoint DLP + Cloud Apps
- Multiple detection mechanisms
- Defense in depth approach
-
Start with visibility:
- Begin in simulation mode
- Understand data flows
- Identify normal patterns
-
Tune before enforcement:
- Address false positives in simulation
- Adjust thresholds based on baseline
- Get stakeholder buy-in
-
Communicate with users:
- Explain why policies exist
- Provide clear policy tips
- Offer legitimate alternatives
-
Monitor continuously:
- Review alerts daily
- Track policy effectiveness
- Update for new threats
-
Document exceptions:
- Business justification required
- Time-limited exceptions
- Regular review
Related Controls
- DLP-01: Enabling sensitive data classification
- LOG-01: Audit log retention
- LOG-05: Anomaly detection
- GOV-04: Incident response procedures
Revision History
| Date | Version | Author | Changes |
|---|---|---|---|
| 2025-01-07 | 1.0 | TrueConfig | Initial release |