We sent a calendar invite to an external recipient and in the Location field added some sensitive data – PCI.

This has not generated an incident and seems to be a gap in detection. The sensitive data is not found in the Header and the Location field is not present after receipt of the invite..

We have only been able to generate an incident with the PCI data in the body along with the location.

Component : Default-Sym

The problem seems to originate not in a difference between on-premise and cloud DLP, but between Outlook running on-premise and Outlook in Office365.  

In the on-premise case running "Microsoft Outlook for Microsoft 365 MSO (16.0.13801.20288) 64-bit".  

In the CDS using O365 (https://outlook.office.com).

The format of the invitation emails generated in the two cases are different.

A fix for this issue is targeted for release in DLP 16.0 (Phoenix).