Outlook: Mail Categories

🚨 The Signal: Outlook for Android now allows users to assign and remove mail categories. This change could inadvertently expose sensitive information if not managed, as categories can be used to tag and filter emails.

The Impact

End-users are affected, with a low security risk related to potential misclassification of sensitive data.

• End-users: May inadvertently tag sensitive emails with inappropriate categories.
• Security Teams: Need to ensure existing data classification policies account for mobile categorisation.
• Compliance Teams: Must verify categorisation aligns with data handling requirements.

The Action

1. Review existing Microsoft Purview Data Loss Prevention (DLP) policies to ensure they account for email categories as a potential data attribute.
2. Communicate best practices to end-users regarding the appropriate use of mail categories, especially for sensitive information.
3. Consider implementing or updating mobile device application management (MAM) policies in Microsoft Intune to restrict or guide Outlook mobile features if miscategorisation becomes a risk.

Domain: Exchange · Impact: low · Workload: Exchange Online