In this article, we will be taking a look at how Purview Endpoint DLP (eDLP) can be used to detect and take action on sensitive information being pasted from a device’s clipboard into the browser. It is one of the many ways eDLP can help prevent unwanted data exfiltration activities that your standard DLP policies in Office 365 can’t do.

Use-case Scenarios

• Block or Block with Override pasting sensitive data to specific websites, such as 3^rd party AI websites like ChatGPT
• Allow pasting of sensitive data to approved websites and block the pasting to all other sites

Requirements (at a high level)

• Licensed for Purview Endpoint Data Loss Prevention
• Devices enrolled in Purview / Defender for Endpoint
• Supported Browser
  • Microsoft Edge (no extension required)
  • Google Chrome with the Purview Information Protection extension installed
  • Mozilla Firefox with the Purview Information Protection extension installed

Objectives

1. Create a group of “Allowed” website URLs in the global Endpoint DLP settings
2. Create an Endpoint DLP policy that:
   1. Detects sensitive content as it is pasted into the browser
   2. Allows pasting of the content to URLs defined in the custom group
   3. Blocks by default pasting of the content to all other URLs not defined in the custom group
3. Analyze logs in Activity Explorer

Configure Endpoint DLP Settings

Navigate to the Global Endpoint DLP settings in Purview by going to Settings > Data Loss Prevention and head to the Browser and domain restrictions to sensitive data section

In this area the two sub-sections we need to pay attention to are Service domains and Sensitive service domain groups

For the Paste to Browser DLP activity, we need to use the Sensitive Service domain groups area. As shown in the tooltip below, the list of websites in the Sensitive service domains area does NOT do anything for pasting to the browser. That list works for other activities such as Upload to cloud, which is also very useful but not the topic for today.

Important: Even though we will not be adding websites to the Service domains list, you want to make sure the drop-down for this setting is set to Block, as it is in the screenshot below. Having it set to Allow made my policy do weird things, like make the DLP policy not do what it’s supposed to!

In this example, we will create a group of URLs that we will Allow the pasting of sensitive data to and block all other URLs.

1. Select Create sensitive service domain group
2. Give the group a name
3. Add all the URLs. We are adding Office 365 URLs for this example

Tip: You can use asterisks as wildcards within the URL

Configure Endpoint DLP Policy

We will next create a DLP policy, targeting Devices that are enrolled into Microsoft Purview / Defender for Endpoint, configure detection criteria and actions. The DLP policy is what will reference the Sensitive domain group we just created and Allow pasting to those URLs, as well as Block pasting to all other URLs.

1. Navigate to Solutions > Data Loss Prevention in Purview and select Create Policy (or edit an existing policy)
2. Give your policy a meaningful name and select Next until you get to Locations
3. Select Devices and choose either a user or device group of enrolled devices and select the Next button to continue
   
4. Select Create rule
5. Give your rule a meaningful name
6. In this example we want to detect Sensitive Infor Types, or SITs, so under the Conditions section we choose Add condition > Content Contains
7. This adds a Content contains section with a default group. In this section select Add > Sensitive info types
8. Select all applicable SITs and adjust the # of occurrences and confidence levels as you see fit
9. Under Actions, select Add an action > Audit or restrict activities on devices
10. Check the option for “Paste to supported browsers” within the Service domain and browser activities section at the top.
11. Set the action to Block for this setting.
12. Select Choose different restrictions for sensitive service domains > Add group > select the Domains group you made > Add > set the Action to Audit only > Save

13. Since our goal is to simply restrict Paste to Browser, we have purposely turned off all other settings within the Audit and restrict activities on devices
14. Customize user notifications, Incident reports, and additional options if you prefer. For this example, we will not be configuring any of these.
15. Save the rule
    
16. Select Next to proceed to the Policy Mode section
17. I recommend running the policy in simulation mode first and reviewing the logs in the Activity Explorer to confirm it is working as expected before turning it on. In this example, I will be turning it on immediately since the policy is scoped to my test user and test device, so no big deal if things do not work as expected. Select Next and finish creating the policy.

How To Know When The Policy Has Been Deployed?

Navigate to Settings > Data Loss Prevention > Device Onboarding > Devices and make sure, for your device, both Configuration status and Policy sync status show Updated with green check marks.

End-User Experience

Since *.office.com is in our group of service domains, let’s try copying some fake sensitive data and pasting to dlptest.com, which should be restricted with our setup.

In the Edge browser, we are greeted with a nice pop-up window at the top-left corner of the browser window, telling us that pasting protected content to this site is not allowed. Perfect!

In Mozilla Firefox and Google Chrome, expect a Windows toast notification at the bottom-right corner of the screen to appear instead.

Conversely, if we visit Outlook web (outlook.office.com), pasting the same content here should be allowed. Our test indicates that this is exactly the case.

Viewing eDLP Events In The Activity Explorer

Paste to Browser activities show up as Activity = Pasted to browser. We should see a Block event for when we tried to paste sensitive data to dlptest.com. We should also see a separate event from our successful attempt at pasting the same data to outlook.office.com

Tip: Set a filter for Activity: Pasted to browser and add columns for Enforcement mode, target domain, sensitive info type, to make the log more relevant to what we are working on.

Pulling up the details of a log entry by clicking one of the events will show us more useful information, such as the Browser used and the name of the sensitive domains group.

Limitations

Some notable things I’ve come across when deploying Paste to Browser in different customer environments!

• It doesn’t matter where the sensitive content originated. It works regardless of file type or whether a sensitivity label is applied to the file.
• Advanced classification scanning is not supported! This means certain SITs, such as All Full Names and All Physical Addresses, will not work for Paste to Browser. Advanced classification is Microsoft Purview’s cloud-based data classification service that scans items, classifies them, and returns the results to the endpoint. Refer to the given link to see all entities affected by this limitation
• As already noted in the article, setting the Sensitive domains setting in Endpoint DLP to ALLOW will cause some wonky behavior with Paste to Browser, so it is best to BLOCK, even though this setting is not supposed to affect the Paste to Browser feature.