Microsoft Purview | Insider Risk Management - Personal email triggers

[Introduction]

To enhance detection capabilities in Insider Risk Management (IRM), we’re adding two new email indicators as triggers for data exfiltration activities. These indicators help identify potential data leaks when users send business-sensitive attachments to personal or public email domains. This update supports stronger data protection and aligns with customer feedback requesting broader coverage of email-based risks.

This message is associated with Microsoft 365 Roadmap ID 496149.

General Availability (Worldwide, GCC, GCC High, GCC DoD): Rollout will begin in early September 2025 and is expected to complete by late September 2025.

• Who is affected: Admins managing Insider Risk Management policies.
• What will happen:
  • Two new email triggers will be available:
    • Sending email with attachments to free public domains.
    • Sending email with attachments to self (personal email).
  • These indicators can be enabled from the IRM settings page.
  • Sequence detections will now include these indicators as exfiltration activities.
  • IRM quick policy templates will be updated:
    • Email exfiltration: These two indicators will be set as default triggers and indicators. Sending email with attachments to external recipients will not be enabled by default.
    • Data leaks: Both indicators will be added to triggers and indicators, with no changes to existing ones.
    • Data theft by users leaving your org: Indicators will be added; existing triggers and indicators remain unchanged.
    • Critical asset protection: Both indicators will be added to triggers and indicators, with no changes to existing ones.
  • Existing policies created from quick templates will not be affected.

• No action is required. The new triggers will automatically become available for configuration in the IRM policy wizard.

No compliance considerations identified, review as appropriate for your organization.