Exchange 2013 and Office 365 (O365) include a new feature that can peek into e-mail messages and enclosed documents and then flag them, forward them, or block them entirely based on what it finds. This sort of data loss prevention technology has become increasingly common in corporate mail systems, but its inclusion as a feature in Office 365's cloud service makes it a lot more accessible to organizations that haven't had the budget or expertise to monitor the e-mail lives of their employees.

As we showed in our review of the new Office server platforms, the data loss prevention feature of Microsoft's new messaging platforms can detect things like credit card numbers, social security numbers, and other content that has no business travelling by e-mail. Because of how simple it is to configure rules for Microsoft's DLP and security features, administrators will also have the power to do other sorts of snooping into what's coming and going from users' mailboxes.

Unfortunately, depending on the mix of mail servers in your organization—or which Exchange instances you happen to hit in the O365 Azure cloud—they may not work all the time. And they won't help defeat someone determined to steal data via e-mail.

In tests we performed with DLP and security features, we found that Exchange and O365 were pretty good at catching credit card numbers and other personal identifiable information. However, some of the rules we set for testing didn't take for all of our users. That in part may have been because of the limited rollout of the new Exchange within Microsoft's O365 infrastructure when we were performing the testing. When setting rules, we got a warning from the Exchange Administrative Console:

So in other words, if you're rolling out Exchange 2013 in your organization or are using Office 365 from multiple locations, your mileage with DLP may vary. And even when the rules do work, there are some limits to what you can stop from going out the SMTP gateway.

Exchange 2013 and Office 365 allow rules to be applied to direct mail flow. Those rules can be used for all sorts of things, like rerouting inbound e-mail from one mailbox to another based on the sender, keywords in the subject or contents, and a number of other parameters. For data loss prevention, those rules can be triggered by filters checking for keywords or specific patterns. Those patterns can require some calculations to be made with the text. For example, you won't set off the credit card detection filter provided by Microsoft out of the box unless the numbers properly validate as "real" credit card numbers based on the rules for each issuer.

Exchange and O365's filters can read both message bodies and common file attachments by scanning their content. The filters can also check compressed files for content. We ZIP-compressed documents with content banned by rules put in place to stop them from getting out, including credit card numbers, and the filters caught them with no trouble.

However, if you were intentionally trying to send data out of your organization, you'd probably not send information out as an unprotected document or .ZIP file. You might screenshot the data instead, for example. No DLP filters provided with Exchange and O365 can stop a picture of credit card data from getting out of the sent mailbox. The filters are also defeated by the most basic encryption—substituting letters for numbers, or using leading and trailing numbers to disguise the credit card numbers, for example. Even using something as ancient as ROT-13 works, for example.

So that makes the new DLP features basically useless for blocking anything other than accidental, casual, or poorly executed attempts to expose sensitive data. For any greater level of actual data loss prevention, organizations would still need other measures at the firewall, such as deep packet inspection.

But there is one particular type of monitoring that the DLP rules in Outlook can do well: enforcing other e-mail usage policies by scanning for keyword. Exchange can easily spot the word "resume" in a Word document and forward the message to the employee's manager, or bounce it back, silently delete it, or send it to the spam quarantine for further analysis.

Microsoft's bundling of this sort of technology with Exchange and O365 enterprise editions will probably lead to Google offering similar features to its Apps for Business customers. After all, given that pattern recognition is something in Google's wheelhouse, it isn't too much of a stretch to believe it could offer DLP as part of its Vault e-discovery and archiving service. Google is already pretty good at finding content in Gmail for advertising purposes, as Microsoft has been happy to harp on about in its own marketing efforts for Outlook.com and Office 365.

If you're working for a heavily regulated company or just working for one that's concerned about how you're using their computing resources, you should just expect this sort of monitoring. But with DLP now (relatively) affordable for companies of all sizes through O365, the population of people who could conceivably be monitoring co-workers' e-mails has risen dramatically—no deep packet inspection required. Think about that the next time you use your work e-mail for personal business.