Targeting data streams within Microsoft 365 environments is relatively straightforward. The real challenge emerges when users manipulate files outside your network perimeter—such as dragging a sensitive internal PDF onto the WhatsApp Desktop app or utilizing Viber Web to send attachments to an external account.
Because Microsoft’s cloud cannot directly look inside third-party servers, we must intercept the data at the workstation layer (the endpoint) before the upload ever executes. This is achieved using Endpoint DLP, a native capability of your M365 E5 license.
The Use Case Scenario: The Blind Spot Bypass
- The Threat: An employee attempts to bypass corporate email and Teams tracking by opening their personal WhatsApp Desktop app or navigating to Viber Web in a browser. They attempt to share a local project spreadsheet with a third party.
- The Data: A local Excel workbook containing sensitive human resources information, payroll details, or documents tagged under the “Highly Confidential” corporate sensitivity label.
- The Goal: Restrict the workstation OS from passing the file handle to unmanaged communication apps or unauthorized web storage domains. Block the execution instantly and display a system tray message alerting the employee.
Step-by-Step Implementation
Unlike email or Teams policies, Endpoint DLP operates in two distinct phases: first, defining global system boundaries (under Endpoint Settings), and second, executing the policy rule itself.
Phase 1: Establish Your Global Settings
Before building your policy, you must tell the operating system which exact boundaries to monitor.
- Navigate to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings.
- Expand Restricted app groups and select Add restricted app group. Name it
Unallowed Chat Messengers. - Under the app list, add the application executable names:
WhatsApp.exeViber.exe- (Optional for macOS environments: use the direct bundle path identifier)
- Set the fallback action for this restricted group to Block.
- Scroll down to Browser and domain restrictions to sensitive data. Add
web.whatsapp.comandviber.cominto the restricted service domains list.
Phase 2: Create the Endpoint Policy
- Go back to Policies and select + Create policy > Custom > Custom policy.
- Name the policy
EP-Social-Media-Exfiltration-Control. - On the Locations page, toggle Devices to On and switch all other locations off.
Phase 3: Construct the Enforcement Rule
Click + Create rule inside your policy and define the conditions that watch for local file handling:
| Rule Section | Field Configuration | Expected System Action |
| Conditions | Content contains: • Sensitivity labels: Highly Confidential | The local scanner evaluates local files whenever they are touched by user workflows. |
| Actions | Audit or restrict activities on devices | Opens up individual system call options for local storage, clipboard, and apps. |
| App Restriction | Under Restricted app activities, select Apply restriction to all groups > Block. | Prevents the executables defined in Phase 1 (WhatsApp.exe) from accessing the data. |
| Browser Domain | Under Service domains and browser activities, select Upload to a restricted cloud service domain > Block. | Intercepts attempts to drop the target file into web.whatsapp.com or viber.com. |
Prerequisite Reminder: For these rules to execute, your client workstations must be formally onboarded to Microsoft Defender for Endpoint or enrolled directly into the Purview compliance monitoring ring via native Entra ID configuration.
Step-by-Step Testing & Demonstration
Because this lives on the local device, policy deployment to endpoints takes 20 to 40 minutes to sync down via the local operating system’s configuration agent.
Test 1: Testing the Desktop Application App-Group Block
- Log in to a fully onboarded Windows 11 machine as a standard user.
- Launch the WhatsApp Desktop App.
- Attempt to drag and drop a document bearing your company’s
Highly Confidentialclassification label directly into an active chat pane. - The Result: The desktop interface rejects the paste. Simultaneously, a native Windows system tray toast notification snaps out from the bottom-right corner of the screen:
⚠️ Action Blocked
Your organization doesn’t allow opening this file with WhatsApp.
Test 2: Testing the Web Browser Upload Bypass
- Open Google Chrome (with the Microsoft Purview Extension active) or Microsoft Edge.
- Navigate directly to
web.whatsapp.comorviber.com. - Click the attachment paperclip icon and point it to the same protected test file.
- The Result: The upload process is abruptly dropped. The browser intercept returns a standard security prompt indicating that the network transfer was halted because it violated company data guidelines.
What the Admin Sees: Endpoint Metrics
When an end-user attempts to bypass restrictions via an app, Endpoint DLP passes the device event metadata straight back to your Purview Activity Explorer.
The logged event breaks down the forensic trail for your monitoring team:
[ENDPOINT EVENT: Data Loss Prevention Rule Triggered]
Activity: CopyToRestrictedApp
Application: WhatsApp.exe
Host Machine: CLOUD-WORKSTATION-042
Target File: 2026_Q4_Finances.xlsx
Applied Label: Highly Confidential
Final Action: Blocked
This ensures that even if users step outside your core productivity software suite, the local operating system enforces data classification boundaries automatically.
Deep Dive Part 4: Troubleshooting & Forcing Endpoint DLP Policy Syncs