O365 E3/E5 customers have received a notification from Microsoft that they will be creating a new automatic policy in Office 365 tenants that will apply Office 365
Message Encryption to all emails that contain sensitive information and that are being sent outside your organization.
This document describes the potential impact to your Proofpoint Essentials services due to this automatic action by Microsoft. Further, Proofpoint Essentials recommends that our
customers disable the automatic policy.
How to disable Automatic Policy
Details of the Automatic Policy
The policy will enable automatic email encryption when “sensitive” information is detected in email content. Microsoft has provided examples of what is considered
“sensitive” as follows:
- ABA routing number
- Credit card Number
- Drug Enforcement Agency (DEA) number
- U.S. / U.K. passport number
- U.S. bank account number
- U.S. Individual Taxpayer Identification Number (ITIN)
- U.S. Social Security Number (SSN)
They also add that the “exact sensitive types may differ by your organization’s locale and will be communicated in the Message Center notification.”
Impact to Proofpoint Essentials DLP/Encryption customers
The impact of this automatic policy will be immediately disruptive for Proofpoint Essentials customers:
- DLP: Given that many emails will have already been encrypted, the Proofpoint Essentials DLP engine will not be able to inspect those emails for sensitive content. This
implies any compliance / regulatory visibility that customers rely on Proofpoint Essentials for will not be available.
- Outbound email scanning: Spam and AV scanning would not be possible on those encrypted emails
- Plugin or Subject based encryption: would probably result in “double” encryption because the Proofpoint Essentials gateway will try to encrypt an already encrypted
- Policy-based Encryption: emails encrypted by Microsoft cannot be scanned for DLP by Proofpoint Essentials. Therefore, Proofpoint Encryption will not be triggered.
Customers should also note that this automatic policy will alter the recipient experience significantly. The recipients who receive encrypted emails will now have to
login/authenticate with their userid/password or use a One Time Passcode to access automatically encrypted content.
Proofpoint Essentials Recommendation
For the reasons outlined above, Proofpoint Essentials recommends that customers disable this automatic policy so that all the PPS services (DLP, Spam/AV,
Encryption) that customers value continue to operate as before.
How to disable the Automatic Policy
Please disable the rule as described in Microsoft’s announcement (https://docs.microsoft.com/en-us/office365/securitycompliance/new-omeencryption-
If you didn’t opt-out of this change and the Exchange mail rule has already been created, you can disable the rule (https://docs.microsoft.com/exchange/security-andcompliance/
mail-flow-rules/manage-mail-flow-rules#enable-or-disable-a-mail-flow-rule) by going to Mail flow > Rules in the Exchange admin center (EAC) and
disable the rule “Encrypt outbound sensitive emails (out of box rule)”.