Microsoft Purview encrypted emails generate duplicate incidents.
search cancel

Microsoft Purview encrypted emails generate duplicate incidents.

book

Article ID: 260542

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email

Issue/Introduction

In the Enforce console Incident list page we see one incident per a recipient despite Incident Reconciliation being enabled on the Enforce server. 

The original message contains two or more recipients. 

The body of the email message received shows "Learn about messages protected by Microsoft Purview Message Encryption." which indicates the message was encrypted with a label using MS Purview.

For example the message looks like this: 

Environment

Release : 15.8+

Cause

In the case of Office 365 Outlook the message is split up into several messages, one per a recipient and this may be sent to different DLP Network Prevent for Email detection servers which results is duplicate incidents however these would normally be reconciled into one incident but are not because an issue caused by Microsoft (MS) having released MPIP (Purview) with some specific features that change the email workflow and content.

The feature causing the issue is the MPIP Custom Branding, that changes the original behaviour from sending ".RPMSG" encrypted messages, into sending an email informative email body to the recipient with a link pointing to the actual message to view, the user clicking the link will access the unencrypted message originally sent, but that link is unique, it differs for every recipient, and this causes Symantec DLP and probably other vendors to see it as a unique message, and therefore duplicating it as many times as many recipients receive it.

Resolution

This current behaviour is expected in environments where customers have chosen to configure custom branding option in Purview.

The new email encryption implementation is an optional feature in Purview. It is not the default behaviour.

If you do not choose to use custom branding, the original behaviour for encrypted messages as per the ".RPMSG" file will work and you will not see duplicated incidents as a result.

Additional Information

For information on Incident Reconciliation please see: Enabling incident reconciliation

Related articles: 

Article ID: 159907 - If Symantec DLP catches an email twice, is an additional incident created?

NPE analyzing duplicate emails (broadcom.com)

Email incidents take 5 minutes longer to process with Incident Reconciliation (broadcom.com)