I used a simple regex to look at addresses in the envelop.
(Cc|To):\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s
This is effective if there is only one To: or One Cc: (the \s provides this), however, if there is one To: and one Cc: then this will still detect as a true positive.
An alternative is to create one policy with one rule:
To:\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s
and exclude:
Cc:\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s
You then need to do the same for a single Cc: recipient.
----------Enhancement Request--------
Symantec does not keep it's results in memory and is therefore incapable of identifying unique instances of content.
In my opinion this is the number one change required in the content detection methods or rather the scoring used by SDLP. Actually SDLP does not do any scoring at all. It only counts matches. And a match is not stored in memory so during evaluation it cannot determine unique instances. Other vendors have the ability to determine if a rule detects unique instance or single instance and this is a very important method for improving accuracy.