Find Out Who Is Using BCC External Emails on Exchange Online 365

Who In Your Company Is Using BCC Emails on External Emails? (on Exchange Online 365)

There are cases especially when dealing with Data Leakage Prevention scenario in which you need to know who is using BCC and to whom are they sending, usually the focus is on internal to external emails.

* Yes, you can block the BCC availability if you wish (Via GPO and other options)

Finding out who is using BCC seems like an easy task for your IT Systems admin to check but when using Exchange Online 365 or Exchange 2013 and onwards, the task is a bit complicated, there is no BCC log.

In order to enable this type of logging in Exchange Online 365 we need to make a small workaround:

  1. Recommended – Create a dedicated mailbox
  2. Create a new rule in 365 Exchange Admin to Generate Report for every internal > External email, this is also a very useful tool as a Journal ( because Office 365 online wont let you use an online mailbox as a Journal)
  3. Make sure the “Custom Content” has BCC select
  4. The above rule will send reports on ALL internal > External email that are being sent in your organization, now we need to filter them.
  5. Create an OUTLOOK Rule ( the rule will work on the server level but created from OUTLOOK) to move any Report to a specific Folder
  6. Now we need to Separate an email that has BCC in the report from “normal external emails”, Create an OUTLOOK rule to separate the emails based on “BCC:” content , VERY IMPORTANT to make this rule AFTER the previous rule
  7.  Now you can create if you want another rule to delete any report that does not have a BCC in it, i personally recommend having a dedicated mailbox which will hold all reports as a type of a Journal – very useful for forensics and quicker that MESSAGE TRACE
  8. for the Advanced user – have a look at Microsoft FLOW features that can convert Emails to SQL, when the data is in SQL you can create alerts and combine the system with your DLP policy
  9. The same logic is even more useful when you have RMS or AIP , then you can make the same reports run via classification, for example WHO is sending CLASSIFIED emails with BCC.

No shortcuts – we always need to be one step ahead.

Written by Eli Migdal – TowerWatch Solutions – CEO

*This article originally appears on Linkedin here*

Visit our pages on Information Security for more information on our services.

You may also be interested in our Office 365 Cloud Solutions