Hi Morgado,
it's working with Network detection.
I create an eml with an X-header :
X-Sender: thomas.le-parco-ext@sgcib.com
X-Receiver: thomas.leparco@...
X-Company: My Company
MIME-Version: 1.0
From: thomas.le-parco-ext@...
To: thomas.leparco@...
Date: 25 Sep 2015 14:33:48 +0200
Subject: Test X-Header
Content-Type: multipart/mixed; boundary=--boundary_0_92ff627c-a1d2-4b65-8436-3ad5469dbae8
and drop it on DLP Network after created a policy with simple keyword :
And there is an incident for it:
You could improve policy to first detect the X-header and then search for keyword.