Some endpoint email recipients addresses show as "null" in the incident
search cancel

Some endpoint email recipients addresses show as "null" in the incident


Article ID: 270506


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention


When sending an email to Guest Email accounts (external users from a trusted domain) selected from the first instance of the "Offline Global Address List" in the Outlook "Address Book" dropdown, the recipient email address is shown as null in incident reports, and empty in incident snapshots.

These steps to duplicate this are:

  1. Using Microsoft Exchange Online
  2. Connect a trusted domain
  3. In Microsoft Outlook compose a new message
  4. Click the To button
  5. Expand the Address Book dropdown
  6. Select the first instance of "Offline Global Address List"
  7. Select a user from the trusted domain and add to the To field
  8. Complete the email with content that will violate a policy and send
  9. Observe that the recipient address in the incident is missing

This can also be caused when updating an Outlook calendar meeting or even replying to a message with one of the offline guest contacts.


DLP Endpoint
Trusted domains
O365 - Online Exchange
Outlook client


According to Microsoft Developer Messaging analysis:
"The issue is caused by the cloud GAL classifying the users in the trusted domains as "Guest accounts" and those accounts do not have an email address associated with them. MSFT said that there is an open enhancement request to add the email address to the guest users. There is no ETA for that update, but it won't be before next year"
Microsoft Exchange team suggested that as a workaround "that we change the way we look for the email addresses as both MFCMapi and OutlookSpy shows an email in the "PR_EMS_AB_PROXY_ADDRESS" as "SMTP:<email address>"
However, PR_EMS_AB_PROXY_ADDRESS is not a property that is available within the MailItem / RecipientTable. This is only visible using MFCMapi and loading the contact from the Address Book directly.


The updated outlk64.dll that can collect the email address of the guest account is now available.
Please reach out to DLP Support to request this fix.
Provide the Support Engineer with this KB number.

The fix is also available in 16.0 RU1.