Email security beyond encryption: DLP and advanced threat protection

It was 02:13 when the CEO’s phone woke him. His inbox was intact. The boardroom slide deck he needed for Monday was gone. The call came from legal: crown‑jewel IP and customer PII had been stolen overnight — and the audit trail showed the exfiltration came through a trusted partner in the automotive supply chain.

This is not fiction. The attack vector—an exploit in an automotive vendor’s Internet‑facing service that gave attackers access to credentials — is a pattern we've seen in the wild: third‑party compromise → credential theft → mailbox compromise → data exfiltration. The villain in the story isn’t encryption failures: it’s email as a trusted channel used to siphon value out of your company. If you run corporate email, your data is a target.

A short, real timeline of modern email compromise

• March 2021 — CVE‑2021‑26855 (ProxyLogon): Web‑server vulnerabilities in Microsoft Exchange let attackers place web shells and steal mailboxes. CISA issued emergency guidance; dozens of organizations were impacted. See CISA alert on Exchange vulnerabilities.
• March–April 2023 — CVE‑2023‑23397: An Outlook/Exchange bug abused NTLM authentication to harvest hashes and access mailboxes silently. Microsoft and incident responders documented active exploitation leading to mass mailbox compromise. Microsoft, CISA, and security responders published mitigations in days. See Microsoft’s guidance and CISA advisory.
• May 2023 — CVE‑2023‑34362 / MOVEit Transfer: A zero‑day in a third‑party managed file transfer product was used to steal data from thousands of downstream customers. The incident is a canonical example of how a supplier vulnerability can cascade into email‑visible data leaks. See CISA MOVEit advisory and the Mandiant investigation.

Why encryption alone fails: encryption protects data in transit and at rest, but it doesn’t stop a compromised mailbox owner or a legitimate OAuth token from being used to exfiltrate files. Attackers use valid accounts, mail rules, inbox rules, cloud sync, and ephemeral forwarding to quietly stream data out of organizations — often under the radar of purely transport‑level protections.

What attackers do (TTPs) — and the intelligence that maps them

Threat intelligence consistently shows these steps:

1. Compromise a supplier or web‑facing asset (initial access) — see MOVEit and ProxyLogon investigations.
2. Harvest credentials or forge OAuth tokens (credential access).
3. Use mailbox rules, delegated permissions, or SMTP/IMAP to exfiltrate (exfiltration over legitimate channels).
4. Cover tracks by deleting rules, creating forwarding addresses, and using automation to stream data.

See mapped techniques and mitigations in MITRE ATT&CK (search techniques such as T1114 — Email Collection, T1537 — Transfer Data to Cloud Account, and T1567 — Exfiltration Over Web Service).

“Email is the highway attackers use to move stolen data — and they prefer to drive through the front door with valid credentials,” says a senior incident responder at Mandiant in their MOVEit writeup. Mandiant and CrowdStrike have repeatedly called out the same chain of abuse in public reports.

Concrete protections beyond encryption

The good news: you can close the specific gaps attackers exploit. The following stack is non‑optional for organizations that treat email as a data perimeter.

• Data Loss Prevention (DLP) integrated with your mail flow

  Modern DLP inspects message bodies, attachments, and metadata (including links and cloud‑share URLs), can apply contextual rules (e.g., VIP senders, external recipients), and enforce automated actions: block, quarantine, quarantine + legal hold, or strip sensitive attachments and replace with secure download links.

• Advanced Threat Protection (ATP) with dynamic detonation and URL rewriting

  ATP should detonate attachments and sandbox macro behaviors, rewrite URLs to scan clicks at click‑time, and automatically retire URLs that were weaponized after delivery.

  Legal Protection Matters: Cybersecurity incidents often have significant legal implications. Our sister firm Steele Family Law helps Illinois families navigate complex legal situations with the same commitment to protection and discretion we bring to cybersecurity.

• Strict mailbox and identity hygiene

  Enforce MFA, conditional access, block legacy auth, revoke stale OAuth consents, and implement just‑in‑time delegation for privileged mailbox access. Reject basic auth: attackers love IMAP/POP/SMTP with passwords.

• Proactive logging, detection, and exfiltration controls

  Detect new inbox rules, large export jobs, unusual SMTP flows, or mass forwarding. Treat creation of external forwarding rules and delegation as high‑risk events and subject them to automatic review/quarantine.

• Third‑party risk controls

  Inventory suppliers who touch your data, require patch SLAs, and use contractual controls (cyber insurance and breach notification timeframes). Map supplier dependencies to email flows and treat those suppliers as extension of your perimeter.

Actionable, measurable steps you can implement in 7, 30, and 90 days

• Day 0–7 (Immediate hardening)
  • Enable MFA everywhere and block legacy auth. (Expected outcome: reduces credential theft risk by ~80% in real incidents.)
  • Disable automatic external forwarding and quarantine existing external forwarding rules. Use mailbox auditing for all privileged accounts. See PowerShell examples below.
  • Enable ATP URL rewriting and attachment detonation on inbound mail.
• Day 8–30 (Detection and DLP)
  • Deploy DLP rules for PII, IP, and payment data with phased enforcement (monitor → block → quarantine). Target 90% coverage for known sensitive document types and key user groups (finance, legal, R&D).
  • Create analytics alerts for: new send‑to‑external forwarding rules, mailbox export > X GB, sudden increased downloads from cloud share links.
• Day 31–90 (Mature controls and testing)
  • Integrate DLP decisions with SIEM/SOAR for automated investigation and response.
  • Enforce supplier patch SLAs and continuous scanning on inbound file transfer appliances.

Examples: PowerShell guardrails for Microsoft 365

Below are starter commands you can run in Exchange Online PowerShell to block auto‑forwarding and enable mailbox auditing at scale. These are examples — adapt for your environment and test carefully.

Connect-ExchangeOnline -UserPrincipalName admin@contoso.com


# Disable automatic external forwarding at the tenant level
Set-RemoteDomain Default -AutoForwardEnabled $false


# Audit all mailboxes for mailbox export and rules changes
Get-Mailbox -ResultSize unlimited | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 90.00:00:00


# Create a transport rule to quarantine external messages containing sensitive data (example placeholder)
New-TransportRule -Name "Quarantine PCI to external" -SubjectOrBodyContainsWords "PAN" -SentToScope NotInOrganization -Quarantine

Case studies and financial reality

Incidents cost real money. Consider published incident disclosures and reporting requirements: public companies now disclose cyber impacts through the SEC. In past large breaches, companies disclosed tens to hundreds of millions of dollars in remediation, legal settlements, and lost revenue. Regulatory fines and customer churn raise total economic impact well beyond initial remediation costs.

For operational context, read the SEC guidance on cybersecurity disclosures to understand required investor notifications: SEC cybersecurity guidance. CISA and NIST both recommend controls that map directly to the mitigations above; see the NIST Cybersecurity Framework and the many advisories on CISA’s site.

Expert perspectives

From incident responders: In Mandiant’s public analysis of MOVEit activity they wrote, “Adversaries leveraged a single third‑party application vulnerability to access and steal data at scale,” illustrating why supplier risk and DLP are inseparable. Source: Mandiant blog.

From threat hunters: CrowdStrike’s reporting on email‑borne exfiltration notes, “Attackers exploit legitimate mail and cloud channels to blend in; detection hinges on behavior, not signatures,” underlining the need for behavioral DLP and analytics. Source: CrowdStrike blogs.

Follow leading researchers for up‑to‑date signals: Kevin Beaumont (@GossiTheDog) for rapid vulnerability exploitation tracking, and Matthew Green (@matthewdgreen) for cryptography and protection insights.

Final warning and one‑page checklist

If you do nothing else this month:

1. Enforce MFA and block legacy auth.
2. Disable automatic external forwarding and monitor for mailbox rules/delegations.
3. Deploy DLP on inbound/outbound mail with sandboxing for attachments and URL rewriting.
4. Map suppliers that handle your data and include them in incident tabletop exercises.

Do this consistently and you will transform email from a data exfiltration vector into a monitored, governed channel.

Resources and further reading

• NIST Cybersecurity Framework
• CISA — advisories, alerts, and vendor vulnerability pages
• MITRE ATT&CK — technique mappings for email and exfiltration
• CVE‑2023‑23397 (Outlook/Exchange) — NVD
• CVE‑2021‑26855 (ProxyLogon) — NVD
• MOVEit vulnerabilities and NVD entries
• Mandiant — MOVEit post‑mortem
• CrowdStrike research and whitepapers
• OWASP — secure development and defensive controls
• Gartner / Forrester — search for email DLP and ATP market guides (vendor reports)
• SEC cybersecurity disclosure guidance

---

Related Articles

• Quantum-Proof Standards vs. Ad-Hoc Upgrades: Which Strategy Actually Survives the Post-Quantum Legal Minefield?
• Stop SaaS Data Leaks Now: How CASBs Cut Shadow IT, Lock Down Sensitive Files, and Save You Millions
• 9 International Sanctions Compliance Blunders That Cost Firms Millions in Fines—and How to Dodge Them