I just opened the following case with support. Can anybody else confirm this behavior?
I currently have Symantec DLP Endpoint Prevent policies configured to detect sensitive information within Email/SMTP messages. Today it was discovered that certain special characters may cause issues with incident detection. A user sent an email containing sensitive information that should have been detected. However, the first line in his email contained an emoticon or smiley face. After testing numerous iterations, I have confirmed that if the emoticon appears before any keywords or sensitive information in the body of the email it will result in false negative / non-detection. We are running Outlook 2016 / Office 365 ProPlus in our environment. The emoticon used was a standard smiley face 🙂 I’d be very interested in hearing if this is a known bug.
To clarify a bit: Outlook converts text-based emoticons into “special characters” that get represented as emoticons/emojis. So a standard colon + parenthesis doesn’t break detection. However, whatever character Outlook converts that into, appears to break detection. As stated above, it also only seems to break detection if it appears prior to any keywords or sensitive information appearing in the body of the email.
Edit: I’m running Symantec DLP 14.5.0100.01060 (MP1) and Microsoft Office 365 ProPlus Version 1705 (Build 8201.2102)