Skip to main content

Rule Example (Emails): Prevent sharing of internal files via emails

Updated yesterday

Introduction

Email is one of the most common vectors for data leaks. Teramind's Emails Content Sharing rules help you prevent unauthorized transfer of proprietary files via email attachments.

Rule Walkthrough

The example rule below prevents users from sending outgoing emails if they include attachments originating from a secure, internal source like a SharePoint server.

Setting Up the Rule

General Settings

1. Assign a Rule Name. For example, “Block file transfer via USB drives”.

2. Select a Parent Policy. For example, “Admin Policy”.

3. Select “Content Sharing” for Rule Type.

4. Select “Emails under Select the type of contents.

Helpful Resources:

Employees

5. Turn on the Inherit targets from Parent Policy option to use the policy’s default targets.

6. Alternatively, turn it off and manually select the employees, departments and/or computers for the rules target from the Assign to field.

7. Optionally, you can exclude targets in the Exclude from rule field.

Helpful Resources:

Content

8. A default definition block, "Definition 1," should already be added to the rule. Configure the definition as follows:

Definition 1

9. Select "File Origin" for Type of sensitive data.

10. Select "URL" under Sensitive data to detect.

11. Enter the source URL (where the file originated) in the field below, for example, "teramind.sharepoint.com". Then, select the Contains condition.

Helpful Resources:

Emails

12. A default condition block, "Condition 1," should already be added to the rule. Configure the condition as follows:

Condition 1

13. Add the Message direction criterion by clicking the +Add button.

14. Select "Outgoing" from the direction list.

Helpful Resources:

Actions

15. Select the Lock User action.

16. Optionally, add a message. For example, “Your are locked out. Please contact your administrator.”.

Help Reference:

Rationale for the Rule

The primary goal of this rule is to mitigate legal and ethical risk by ensuring employees adhere to security protocols when sharing confidential, internal documents.

This rule leverages precise detection conditions to monitor the threat vector and automatically take action to prevent data leaks:

  • Detection (Origin): The File Origin content definition detects the file's source via the URL criterion (e.g., "teramind.sharepoint.com"). You can use other sources such as a Network folder or Cloud location. This source information is persistent: it remains with the file even if the user renames the file or they first downloads the file to their local drive and then attaches it to the email.

  • Target Vector: The criterion, Mail direction limits the rule's scope to emails being sent outside the organization and not incoming correspondence.

  • Action: The action, Lock User immediately locks the user's computer preventing the user from completing the data exfiltration attempt and taking any further risky actions.

Related Articles
Understanding Common Rule Elements
Content Sharing Rules: What Contents Trigger the Rules (Windows)?
Rule Example (Clipboard): Record clipboard copy/paste outside domain
Rule Example (Files): Prevent file exfiltration to external drives
Rule Example (Applications): Prevent software installation
Did this answer your question?