Microsoft Purview: Data Loss Prevention - Count of Labelled Documents Condition
A new DLP condition for Exchange Online policies will enable detection of bulk data exfiltration by triggering rules when email attachments with matching sensitivity labels exceed a configured threshold. This addresses scenarios where multiple low-risk labeled files collectively pose compliance or security risk.
Key dates
- 2024 — preview (Feature currently in development; GA availability not specified)
Microsoft's description
This release introduces a new condition for Exchange Online policies: “Count of labeled documents is greater than.” This condition evaluates the number of attachments in an email message that carry a matching sensitivity label. When the count exceeds a defined threshold, the DLP rule is triggered, and configured actions are applied. This capability enables detection of high-volume data exfiltration scenarios, where multiple sensitive files—individually low-risk—collectively represent a significant compliance or security risk. Existing conditions evaluate file content, but do not provide controls based on the volume of labeled attachments.