Microsoft Purview Sensitivity labels, best practices for setup?
Background
There have been more than a handful of recent security breaches at my company, involving social engineering and spoofed emails.
A malicious actor fraudulently spoofing one of our customers, sends an email to a user at my company saying "We've updated our banking info, please make all future payments to this new account number." or "We are still waiting for you to process EFT for invoice XXXX in the amount of XXX, please make sure you are using our new account number XXXXXX."
Our customers, bless their hearts, happily paid large sums of money to these malicious actors; assuming they were customers.
I had the idea for a system that looks for words like "EFT, Funds Transfer, Payment Method, Bank Account, Account update, etc.".
Using these keywords, the system automatically flags that email with a message like
"IF A CUSTOMER IS ASKING YOU TO UPDATE BANKING INFO OR MAKE A PAYMENT TO A NEW ACCOUNT, CALL THE CUSTOMER FIRST AND CONFIRM."
In some kind of popup, tooltip, or banner message.
What I'd like to set up
Put simply, we want to have some kind of visual flag (such as a banner or tooltip) that automatically appears to an end user when they receive an email that contains specified keywords. In particular, inbound emails from outside our tenant.
From my research, I believe that Auto-labeling Sensitivity Labels with a tooltip should accomplish what I am looking for.
Image from Microsoft showing what I believe am looking for.
I watched some guides, but am having trouble getting them working. Below are the steps I've already completed.
Created Sensitive Info Type
- Navigate to "Data Classification > Sensitive Info Types".
- "Create Sensitive Info Type"
- "Define patterns for this sensitive info type", created Pattern #1 with a list of keywords.
- "Primary Element" set to "Keyword list".
- Under "Case Insensitive", added a handful of keywords that I'd like to trigger the policy tooltip.
- No Supporting elements, no additional checks.
- High confidence level.
Creating Label
- Created a Label in the Information Protection menu.
- Gave this label a User-facing description and label color.
- Assigned Scope to "Items only", not concerned about Teams or Schematized Data maps at this point.
- Checked off "Apply Content Marking".
- Under Content marking, applied a Header and Footer (did not set Watermark) with a message that I want the users to see.
- under "Auto-labeling for files and emails", applied the content marketing to the Sensitive Info type that I previously created. HCL, 1-any Instances.
- "When content matches these conditions > Automatically apply the label"
- "Display messages to the user", used the same text as before.
- "Groups and Sites", skipped this section.
Publishing label policy
- Published to only me as a test user.
- "Policy Settings", left all options blank. Do not need users interacting with the label warning.
- "Default Label for Documents" Skipped
- "Default settings for emails" = None. Don't want the label applied for EVERY email, just the ones that match the sensitive info type.
- "Default settings for meetings and calendar events" Skipped
- "Default settings for Power BI content" Skipped
Testing and primary issue
After all these steps, I sent an email from my personal Gmail to my Company Email, containing all of the keywords I previously defined.
I received the email but did not see any tooltip or banner appear. Assuming it may be a time-based deployment issue, I waited for 24hrs and tried again; with the same results.
Any thoughts? I feel like there is probably something obvious I'm overlooking.
Other Questions
There were many separate steps where it appeared that I could create a user-facing message. Which one of these options should I be enabling? Do I need all of them turned on?
What different kinds of content marking or alert tooltips are there for me to choose from?
Is this the best course of action to accomplish what I am looking for? Is there some other solution that would help me achieve the desired outcome, that may be more effective?
