How to control data spillage in Office 365 Dedicated/ITAR


This article describes how to remove an email message, or an attachment to an email message, from one or more mailboxes in Microsoft Office 365 Dedicated/ITAR in an urgent situation. 

Note If a user unknowingly sends or forwards an email message that contains sensitive information or information that may have serious business consequences, this is known as data spillage. This is generally an urgent situation where you must remove the email message as quickly as possible. 

More Information


Many customers categorize their company data according to the kind of information that the data contains. For example: 
  • Security=High
  • Security=Low
  • High Business Impact
  • Low Business Impact
The information in the Security=High category or the High Business Impact category may contain highly confidential information. You may want to remove the data quickly to avoid the following scenarios:
  • A user leaks the information.
  • A system is not secure or is prone to the spread of sensitive information.

Customer preparedness

Incidents of data spillage may occur at any time. Therefore, you should be prepared to deal with these incidents immediately. You should identify and document the steps that the organization follows in spillage scenarios to access, identify, and delete data. To do this, make sure that you can do the following:
  • Understand the available options for each available tool.
  • Identify the administrators or people who have access to each tool. Or, document the process to enable the appropriate people to make a request for access quickly.
For more information about available tools, see the "Available tools" section.

Available tools

The tools that are described in this section are available for self-service operations and require membership to specific security groups.
  • Message tracing

    Use message tracing to track messages as they pass through the Exchange Online or Exchange Online Protection (EOP) service. Message tracing helps you determine whether a targeted email message is received, rejected, deferred, or delivered by the service. Message tracing also shows what events have occurred on the message before the message reaches its final status.
  • Multi-mailbox search

    Exchange Online lets customers search the contents of mailboxes across an organization by using a web-based interface. Administrators or compliance and security personnel who have the appropriate permissions can search email messages, attachments, calendar appointments, tasks, contacts, and other items across mailboxes and archives. Rich filtering capabilities include sender, receiver, message type, send/receive date, and carbon copy/blind carbon copy, together with the Keyword Query Language syntax. Search results also include items in the Deleted Items folder if they match the search query.
  • Search and delete

    You can use the Compliance Search feature in Office 365 to search for and remove an email message from all mailboxes in your organization. Compliance and security personnel who have the appropriate permissions can use PowerShell to search for and destroy data. This includes email messages, attachments, appointments, tasks, and contacts.
  • Transport rules

    Administrators can use Exchange transport rules to search for specific conditions in messages that pass through organizations and to take action on them. These rules are taken on messages "in-transit" or "in-flight" before they are delivered. This is a valuable tool that can be used to prevent or contain a spill, or that can be used when a spill is occurring. For example, if the data spill involves one or more attachments that are sent through an email message, you can create a transport rule to block and delete all messages that contain the attachment (or attachments).  

文章識別碼:2811786 - 最後檢閱時間:2016年4月27日 - 修訂: 1