Australian Marking - OFFICIAL

Detects the Australian Government OFFICIAL protective marking (PSPF / QGISCF) in both email forms ([SEC=OFFICIAL] subject markings, X-Protective-Marking headers) and visible document banners. Excludes UNOFFICIAL and OFFICIAL: Sensitive (handled by au-marking-sensitive). Regex logic ported from Microsoft's canonical PSPF SIT guidance; matched case-sensitively so the lowercase English word "official" does not trigger.

Type: regex
Engine: boost_regex
Confidence: high
Confidence justification: High confidence: case-sensitive uppercase OFFICIAL plus the structured SEC= form make this a reliable marking detector. The English word "official" (lowercase) is excluded by case.
Jurisdictions: au
Regulations: Criminal Code Act 1995 (Cth)
Frameworks: PSPF, QGISCF
Data categories: government, security-classification
Scope: narrow
Risk rating: 6
Platform compatibility: Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported

Pattern

\bOFFICIAL\b(?!(?:[ ]|:[ ]?|[ ]?//[ ]?)Sensitive)

Corroborative evidence keywords

PSPF, protective marking, Australian Government

Proximity: 300 characters

Should match

Quarterly briefing [SEC=OFFICIAL] — Email subject marking
X-Protective-Marking: VER=2024.1, NS=gov.au, SEC=OFFICIAL — x-header form
This document is classified OFFICIAL by the department — Document banner

Should not match

visit our official website for more information — lowercase English word (case-sensitive exclusion)
Report [SEC=OFFICIAL:Sensitive] — OFFICIAL Sensitive belongs to au-marking-sensitive
This email is UNOFFICIAL — UNOFFICIAL must not match OFFICIAL
Doc marked OFFICIAL // Sensitive — the // form of OFFICIAL Sensitive belongs to au-marking-sensitive

Known false positives

Uppercase use of OFFICIAL in non-marking contexts (e.g. "OFFICIAL OPENING"). Mitigation: Corroborative PSPF/government evidence and the structured SEC= tier raise confidence; banner tier stays at 85.