Picture this: An employee needs to finish a proposal over the weekend. To make things “easier,” they quickly drop a confidential internal spreadsheet into a personal WhatsApp Web window, or attach it to an email heading to an external vendor. Just like that, sensitive corporate data has left your secure boundary.
When organizations upgrade to the Microsoft 365 E5 tier, they often do so to solve this exact problem. But owning the licenses is only half the battle—knowing how to architect your Data Loss Prevention (DLP) policies to catch data wherever it moves is what actually closes the gap.
In this post, we’ll look at a real-world multi-channel leak scenario and walk step-by-step through configuring and demonstrating Microsoft Purview DLP to block leaks across Exchange (Email), Microsoft Teams, and unmanaged cloud apps like WhatsApp and Viber.
The Strategy: Multi-Channel Protection
To protect against this broad scenario, we cannot rely on a single rule. We must target three distinct threat vectors using Microsoft Purview:
- Exchange Online: To intercept files flying out via external emails.
- Microsoft Teams: To block sensitive files or strings from being shared in chats with external guests.
- Endpoint DLP (Workstations): The silver bullet. This monitors the device level, stopping users from uploading corporate data into desktop apps or web versions of WhatsApp, Viber, or unauthorized personal cloud storage.
Step-by-Step Implementation
Let’s configure a unified policy in the Microsoft Purview compliance portal (purview.microsoft.com).
Step 1: Initialize the Policy
- Navigate to Data loss prevention > Policies and click + Create policy.
- Choose Custom > Custom policy to give us full granular control.
- Name your policy something clear, such as
Exfiltration Control - Sensitive Data.
Step 2: Choose Your Scopes (Locations)
This is where the magic happens. To tackle our scenario, we will select:
- Exchange mailboxes
- SharePoint sites & OneDrive accounts (protects the underlying storage)
- Teams chat and channel messages
- Devices (This turns on Endpoint DLP to catch WhatsApp/Viber uploads)
Step 3: Configure Advanced DLP Rules
Inside the policy, click + Create rule. We will build a high-protection rule targeting data shared outside the organization.
| Rule Component | Configuration Setting |
| Conditions | Content contains: Select your data types (e.g., Sensitivity Labels: Highly Confidential OR SITs: Credit Card / PII). Content is shared from Microsoft 365: with people outside my organization. |
| Actions: M365 Locations | Under M365 locations, select Restrict access or encrypt content > Block everyone except organizational insiders. |
| Actions: Endpoint DLP | Under Audit or restrict activities on devices, toggle the following to Block: • Upload to cloud service domains • Copy to a restricted app |
Step 4: Setting up Browser & App Restrictions for WhatsApp/Viber
To make sure Endpoint DLP successfully catches social apps, we need to configure our global Endpoint settings:
1.Identify the Application Executables:Admin Prerequisite.
Locate the process names for your target desktop apps. For example: WhatsApp.exe, Viber.exe.
2.Add to Restricted App Groups:Purview Settings.
Go to DLP settings > Endpoint settings > Restricted app groups. Add a group named Unmanaged Social Apps and list WhatsApp.exe and Viber.exe.
3.Enforce Web Upload Restrictions:Browser Protection.
Under Browser and domain restrictions to sensitive data, add web.whatsapp.com and viber.com to your restricted service domains, ensuring users can’t bypass the desktop app block by using a web browser.
The Demonstration: What the User & Admin Sees
A security policy is only as good as its enforcement. Here is exactly how Microsoft Purview blocks exfiltration attempts across these channels in real-time.
1. The Email Experience (Exchange)
When an employee attaches a protected document to an external email address and hits Send, Microsoft Purview intercepts the transport pipeline immediately.
- User Impact: The email is bounced back instantly with a Non-Delivery Report (NDR) stating the message violated company security policies.
- Proactive Warning: If using Outlook, a Policy Tip banner appears at the very top of the composition window the moment the external email address is added, warning the user before they click send.
2. The Teams Chat Experience
If an employee tries to drop the sensitive document or type a restricted string (like a customer credit card number) into a chat containing an external guest:
- User Impact: The message is sent but instantly vanishes, replaced by a red block block text reading: “This message was blocked. What can I do?”
- Recipient Experience: The external guest simply sees an empty shell indicating a message was blocked due to compliance.
3. The Social App Experience (WhatsApp / Viber Web & Desktop)
What happens if the user tries to drag and drop that official document directly into WhatsApp desktop or a web browser to send it out?
- User Impact: The file transfer freezes. A native Windows/macOS notification pops up from the system tray alerting the worker that the action is blocked by corporate security policies.
The Security Team Dashboard (Alerts & Auditing)
While the user is blocked on the frontline, Purview is simultaneously building an audit trail for your Security Operations Center (SOC).
Whenever a rule triggers, an incident is logged in the Purview Activity Explorer and an automatic alert is generated.
What the Alert Contains:
- The Actor: Exactly who tried to share the data.
- The Channel: Identifies whether it was sent via
Outlook,Teams, or an endpoint application likeWhatsApp.exe.- The Evidence: Displays the exact sensitive string or metadata snippet that triggered the match (e.g., which sensitivity label was assigned).
Wrapping Up: Turning it On
If you are rolling this out on your blog or your production tenant, always start in Simulation Mode.
Running your new multi-channel policy in simulation mode for 7 to 14 days allows you to harvest data via the Activity Explorer without interrupting end-user workflows. You’ll be able to see exactly how much corporate data is quietly trickling into Outlook, Teams, and WhatsApp, giving you the hard data you need to confidently switch the toggle from Audit to Block.