Protect Confidential Information sent externally using Office 365 Message Encryption
A new feature, Office 365 Message Encryption, allows email content to be encrypted when sent to external senders. This works via a very simple mechanism to ensure it can be easily read, whatever the recipient mail system:
- The message is replaced with a link and text explaining what the user needs to do.
- Upon clicking the link, the user is directed to the Office 365 website via a HTTPS connection.
- The user signs in using a Microsoft ID (formerly Windows Live ID) matching their email address. In the case that they have many email addresses they are informed which one must be used.
- The recipient can then view the email in it's unencrypted form, and compose a secure reply.
This is similar to how banks often communicate with their customers, protecting confidential information behind a secure HTTPS site.
In our example we will create a rule that simply protects any message subject or body containing the word "Confidential" with Office 365 Message Encryption. You can make this cover more scenarios if you wish, or indeed instruct it to scan email attachments for keywords also.
To implement this on selected outgoing email messages, login to the Exchange Admin Center and navigate to Mail Flow>Rules.
Next, choose Add to create a new rule. Then in the New Rule window, perform these steps:
- Enter a name, such as "Protect Confidential Information sent Outside the Org"
- Choose More Options to view all available settings that can be applied to the new rule.
- From the Apply this rule if.. drop down, select The subject or body includes any of these words, then enter Confidential.
- Then choose Add Condition, then select from the drop down The recipient is located outside the organization.
- In Do the following, select Modify the message security from the drop-down list, then choose Apply Office 365 Message Encryption
Messages matching this rule will now be encrypted using Office 365 Message Encryption. You can make exceptions for specific domains, using the Except if option - for example if you already have a TLS tunnel to a partner setup.