O365 Teams generating false positive for External Exposures for 'in-line' messages:
• Even when all users in the conversation within the Channel are 'internal' only, CloudSOC would trigger as if there were an external exposure.
From Message Stream File:
• This only applies to 'in-line' messages (example above) and does not apply to attachments.
• The Channel did not have a user explicitly added whereas the user was unlicensed. However, in a production environment, it's possible a user previously added may have been converted to unlicensed in O365. To illustrate, a new Channel was created as shown below where the 'default' option is chosen 'Everyone on the team has access'. In the process of creating this Channel, O365 added unlicensed users.
CASB + DLP + O365 Teams
A defect was identified relating to users that are identified in the O365 Teams Channel where those users are unlicensed. The system assumed the individuals to be external even though they were 'internal' just 'unlicensed'.
A resolution was published with CASB release 3.146. Subsequent testing shows the scenario above no longer generates false positives for External exposure.