>_AYSOLI SECURITY HUB
THREAT AREA

SaaS & Email DLP

In a cloud-first world, most data resides in SaaS applications. Traditional network firewalls no longer see this traffic. Effective SaaS DLP protects data directly at its source.

Your Strategy

Use cloud-native DLP engines (e.g., Microsoft Purview) to scan the content of emails, Teams chats, and SharePoint files in real time. Implement advanced techniques such as Exact Data Matching (EDM) to identify specific customer data and OCR to analyze text in images.

Best Practices

  • Data Centricity: Protect data where it resides (in-place) instead of trying to filter it at the perimeter.
  • SSPM: Continuously monitor the sharing configurations of your SaaS applications for misconfigurations.
  • Encryption: Use automated encryption for emails classified as "Confidential".

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-M365-01

Exfiltration via Inbox Rules

Automated forwarding of emails to external addresses.

Information DisclosureI-DLP-01

Insider Data Theft

Conscious or unconscious outflow of data by internal persons.

Information DisclosureI-DLP-03

Encrypted Channel Exfiltration

Data outflow via encrypted, non-inspectable channels.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Monitoring GapsM-01

Insufficient Logging

Missing or inadequate recording of security-relevant events.

MITRE ATT&CK® Techniques

Initial Access
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
Mailflow Rules (Transport Rules)Baseline ProtectionLow
CIS: 9.3NIST: PR.DS-2
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Execution
T1137

Office Application Startup

ATT&CK

Exploitation of Office startup processes for code execution.

Mitigated by
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Mailbox Delegation MonitoringExtended ProtectionLow
CIS: 6.2NIST: DE.AE-2
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
SaaS Security Posture Management (SSPM)Extended ProtectionMedium
CIS: 1.1NIST: ID.AM-2
Restricted App ConsentBaseline ProtectionLow
CIS: 16.1NIST: PR.AC-1
Mailbox Delegation MonitoringExtended ProtectionLow
CIS: 6.2NIST: DE.AE-2
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
Adaptive MFA (Risk-based)Extended ProtectionLow
CIS: 6.5NIST: PR.AC-7
Collection
T1114-003

Email Forwarding Rule

ATT&CK

Automated exfiltration through inbox rules.

Mitigated by
Mailbox Delegation MonitoringExtended ProtectionLow
CIS: 6.2NIST: DE.AE-2
Mailflow Rules (Transport Rules)Baseline ProtectionLow
CIS: 9.3NIST: PR.DS-2
T1114-002

Remote Email Collection

ATT&CK

Harvesting emails directly from the server.

Mitigated by
Mailflow Rules (Transport Rules)Baseline ProtectionLow
CIS: 9.3NIST: PR.DS-2
T1530

Data from Cloud Storage Object

ATT&CK

Accessing data from cloud storage (S3, Blobs).

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
SaaS Security Posture Management (SSPM)Extended ProtectionMedium
CIS: 1.1NIST: ID.AM-2
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
Exfiltration
T1020

Automated Exfiltration

ATT&CK

Automated exfiltration of data via interfaces.

Mitigated by
Privacy by Design GuardrailsGrundschutzMittel
CIS: 17.3NIST: ID.AM-7
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Exact Data Matching (EDM)Extended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
OCR for DLPExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-5
Trainable ClassifiersExtended ProtectionHigh
NIST: PR.DS-1OWASP: AI-Governance
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Sensitivity Labels (Purview)Extended ProtectionHigh
CIS: 13.2NIST: PR.DS-1
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Automatic Data ClassificationExtended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
Exact Data Matching (EDM)Extended ProtectionHigh
CIS: 13.1NIST: PR.DS-1
OCR for DLPExtended ProtectionMedium
CIS: 13.3NIST: PR.DS-5
Trainable ClassifiersExtended ProtectionHigh
NIST: PR.DS-1OWASP: AI-Governance
SaaS Security Posture Management (SSPM)Extended ProtectionMedium
CIS: 1.1NIST: ID.AM-2
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
SaaS & Email DLP | IT Security Checklist for SMEs · AYSOLI Security Hub