DLP and SSN' s

I' ve got a policy/protection profile set up for just outbound email from our public email server and in the DLP rules I' m looking for SSN' s. We are getting quite a bit of false positives in that the numbers look and are formatted like ssn' s but aren' t. Typical example is a reply to an email from Hotmail. Microsoft adds this to their email: Hotmail: Free, trusted and rich email service. Get it now. ( http://clk.atd= mt.com/GBL/go/171222984/direct/01/ ) As you can see, the URL has a 9 digit number that looks like a SSN. Is anybody else using DLP to look for SSN' s or credit card numbers in email/html and is running into this type of problem? We' d really like to continue to use the regex to look for data leaks but it' s becoming a management/helpdesk nightmare. Also, does anybody know when Fortinet gained the capability to look inside the new MS office file formats(.xlsx and .docx)? I tested pretty extensively with DLP and noticed that the firewall could look inside standard .xls files for SSN' s and find/block them but it couldn' t do the same with .xlsx files. On Tuesday I had a user complain that their email was blocked and it turned out that it had an .xlsx attachment with numbers in it that looked like SSN' s (turns out their were zip codes formatted like this 596015670 instead of 59601-5670) but were not. I hadn' t applied any firmware updates to the firewall so I' m assuming that it was part of an IPS/AV update. I' m also making the assumption that DLP uses IPS to inspect the packets. Is that true? Doesn' t anybody know where I can find out what' s in those updates? I dug around the Fortinet site a bit and didn' t find out anything.