Recipient details are not captured for some Endpoint email incidents in Symantec DLP from a group email private distribution list.
E.g:
Incident ID: xxxxxxxx
Sender Email: [email protected]
Subject: Review FY23 Business Report
Occurred On: 13/08/2023 2:01:00 PM
[no recipient detail]
Upon further review of the DLP agent log for the same incident date and time stamp, we see Recipient blank as follows
Recipients:
And just before the following error:
INFO | Outlook.OutlookClient | Failed to list recipients using local MAPI store. Falling back on existing mechanism. Error :[0]
Release: 15.8.x 16.0.x
Upon follow-up with the user on the email sent at time of the incident report, it was confirmed the intended recipient was a Private Distribution List.
When the end user is sending email and Symantec DLP Outlook plugin is unable to find the Recipients in local MAPI store, then Symantec DLP tries to fetch the same details through MAPI API calls and those are unsuccessful too.
It was found that certain private Distribution Lists had an issue where Symantec DLP was not able to extract the recipients from the DL because Microsoft Outlook would not show the recipients to Symantec DLP.
This was proved with the Microsoft MFCMAPI tool, which can be downloaded from Microsoft at: https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/how-to-install-the-samples-used-in-this-section which confirmed that even the tool was not able to see the recipients in the Private Distribution List example.
In this case, the customer needed to work with Microsoft support to determine what the issue was with those Private Distribution List DL's that were not working, as the issue was not a Symantec DLP problem but something with Microsoft Outlook and the Distribution list.