Microsoft 365 Message Center Archive

MC1147381 - Microsoft Purview | Insider Risk Management - Personal email triggers

Message ID

MC1147381

View in Message Center

Service

Microsoft Purview

Last Updated

Sep 9, 2025

Published Sep 3, 2025

Tag

Updated message
New feature
Admin impact

Roadmap ID

496149

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview Insider Risk Management will add two new email triggers—sending attachments to free public domains and to personal email—to detect data exfiltration. Rollout begins December 2025. Admins can enable these via IRM settings; existing policies remain unaffected. No action required to prepare.

More information

Updated September 9, 2025: We have updated the timeline. Thank you for your patience.

Introduction

To enhance detection capabilities in Insider Risk Management (IRM), we’re adding two new email indicators as triggers for data exfiltration activities. These indicators help identify potential data leaks when users send business-sensitive attachments to personal or public email domains. This update supports stronger data protection and aligns with customer feedback requesting broader coverage of email-based risks.

This message is associated with Microsoft 365 Roadmap ID 496149.

When this will happen:

General Availability (Worldwide, GCC, GCC High, GCC DoD): Rollout will begin in early December 2025 (previously early September) and is expected to complete by late December 2025 (previously late September).

How this affects your organization:
  • Who is affected: Admins managing Insider Risk Management policies.
  • What will happen:
    • Two new email triggers will be available:
      • Sending email with attachments to free public domains.
      • Sending email with attachments to self (personal email).
    • These indicators can be enabled from the IRM settings page.
    • Sequence detections will now include these indicators as exfiltration activities.
    • IRM quick policy templates will be updated:
      • Email exfiltration: These two indicators will be set as default triggers and indicators. Sending email with attachments to external recipients will not be enabled by default.
      • Data leaks: Both indicators will be added to triggers and indicators, with no changes to existing ones.
      • Data theft by users leaving your org: Indicators will be added; existing triggers and indicators remain unchanged.
      • Critical asset protection: Both indicators will be added to triggers and indicators, with no changes to existing ones.
    • Existing policies created from quick templates will not be affected.
What you can do to prepare:
  • No action is required. The new triggers will automatically become available for configuration in the IRM policy wizard.
Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.