DLP for Bitcoin Addresses

One of the up-and-coming combination phish-ransom attacks is to trick the mark into thinking that you've got access to their data, and then get them to send money to a Bitcoin address to protect them from data leakage.  You can create a DLP rule in the Office 365 Security & Compliance Center (or an Exchange Online transport rule) to try to combat this.

The regular expression we're going to work with is:


This will match the standard BTC addresses (beginning with bc1 or a 1 or a 3), and then 25-34 alphanumeric characters excluding lookalikes (lowercase L, uppercase i, numeral 0 and uppercase o), followed by a space character (\s), the end-of-line ($), or a period (as long as it didn't have any characters immediately after it).

To configure the Security & Compliance DLP sensitive information type, follow these steps.

Security & Compliance Center

  1. Launch a browser, navigate to protection.office.com, select Classifications and then select Sensitive info types.

  2. Click  +Create.

  3. Enter a name and description and click Next.

  4. Click +Add an element.

  5. Select Regular expression from the drop-down, and paste in the regular expression text.

  6. If you want to increase the sensitivity or confidence level, you may want to include supporting elements like btc or wallet keywords and click Next.

  7. Confirm and click Finish.

  8. Click Yes to test your pattern against a file.

  9. Create a file with the following content:

     Send BTC payment to address:1JHJnnDp9A92XdjfYkHKyrJ3R99Q72K3X4
  10. Upload the file and click Test.

  11. Click Finish.

Once you've created the Sensitive info type, you can use it in DLP policies and labels.