URL within a file attachment is being detected as a 'Filename'
search cancel

URL within a file attachment is being detected as a 'Filename'


Article ID: 161824


Updated On:


Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention Endpoint Discover


If a Microsoft Word document (.docx) has an URL which points to a monitored file extension false positives are seen.

Discover and Network Incident Snapshot shows match highlight for file name within a URL.

Example of false positive when using File Name rule looking for *.aspx


When DLP inspects a file attachment which includes a URL link within the document. DLP parses this file and reads the URL as a File Name or File Extension.

This applies to the following Rule Conditions.

  • File Name
  • File Type


Add a compound rule to also look for File Size greater than 1 byte to avoid false positives when looking for File Name or File Type.

Example of modified policy that looks for File Name *.aspx and *.docx compounded with Size Rule.