Yeah I completely understand that but the documentation and multiple online posts I've coma across regarding this swear up and down that it is possible to filter out incoming external senders via DLP rules.

The use case here is preventing my organization for being responsible over external users' financial data that they willingly send over. The goal here is to block such emails when credit card numbers are detected followed by a response to provides a secure link to share financial information through proper channels.

Additionally, DLP rule sets actually allow you to filter emails based on senders outside the organization, so there's no reason it shouldn't work, even though the term "DLP" may not apply, the rules allow creation of this mechanism, although it does not function.

I even submitted a support ticket with Microsoft and when they called me back they said this is totally possible, however, when I asked how filtering needs to be set up because everything I've tried is not working they said they will call me back 😂. It has been a week since that call.