Nucleuz has determined a recent change rolled out in Microsoft Office 365 (O365)
may cause your organization's auto-decryption to stop working.
Your organization sends a message that is encrypted to external recipients.
An external recipient accesses the encrypted message via the Microsoft
Office Message Encryption (OME) portal and replies to it.
The response is not decrypted back to the originating sender. Instead it
arrives still encrypted, requiring users inside your organization to access
the message via the OME portal.
Organizations using Office Message Encryption (OME) to encrypt & decrypt
messages in one or more of these environments:
Nucleuz DLP Policies installed & running inside Microsoft Exchange
(Microsoft Office 365 (O365) and Microsoft Exchange Online)
(Note: Nucleuz DLP Policies installed & running inside Microsoft Security
& Compliance Center may not be affected. Please contact Nucleuz if you experience problems in this environment.)
This issue appeared around Jan 20, 2020. According to Microsoft's announcement the
change which causes this issue will be completely rolled out by Feb 1, 2020.
Organizations which are not yet affected by this change may not have the change yet.
This issue appears to be caused by Microsoft's change described in
Office 365 notification MC196886 published on November 27, 2019.
The problem seems to be due to the change now using the tenant's domain for encrypted messages.
The issue seems to be confined to Nucleuz DLP Policies running within Exchange Admin Center.
Nucleuz has confirmed that this behavior can be fixed by changing the "... Decrypt" rule in
the Nucleuz DLP Policy to not require that the sender be External.
Please follow these steps and see the screenshot below depicting part of this change
Log into your O365 Admin Center.
Navigate to Exchange Admin Center.
Navigate to the compliance management section
from the left-hand side.
Navigate to the data loss prevention section near the top.
Select your Nucleuz DLP Policy, and edit it.
Locate the "... Decrypt" rule in the list, and edit it.
Remove the condition "The sender is located... Outside the organization".
Ensure the condition "The recipient is located... Inside the organization"
exists (add it if necessary).
Save the changes to the Rule.
Save the changes to the Policy.
Wait up to 1 hour for the changes to take effect.
The screenshot below depicts part of this change procedure:
Please contact your Nucleuz Account Manager or
Nucleuz Support for additional help with this issue.