Office 365 Webmail injects your IP address in email headers

Publish date: 2024-06-23
Office 365 Webmail leaks your IP addresses in emails

Do you know that when you use the webmail component of Office 365, you are also sending your IP address to other people?

That’s because the header your emails contains your IP address when you are using the web-based Outlook 365 service. Maybe Microsoft has a specific reason for automatically embedding the IP addresses.

However, the company has never informed Outlook 365 users about it. You should not ignore this issue because it is a major security and privacy risk for all of us.

Jason Lang recently identified this issues and shared the news on Twitter.

Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. 😁 pic.twitter.com/vjsVhwJEV3

— Jason Lang (@curi0usJack) July 24, 2019

We can not say that it was an accidental leak from Microsoft. Obviously, Microsoft was deliberately injecting your IP address in the emails.

Looking for a tool to hide your IP address? Here are the best options for Windows 10.

IT administrators use the sender’s IP address to search for particular emails. The IP address helps them to recover a hacked account by tracing the location of the sender.

All of your emails that you are sending through https://outlook.office365.com have a header field called x-originating-ip.

By the look of things, Microsoft has been using this feature from the past few years. It is an old change that was already included in Outlook 365.

Twitter ser @pranq5t3r who replied to the initial tweet continued the discussion:

Probably also worth noting that this happens in email clients with a provider that doesn’t mask/strip IP. Google, for example, gives an internal IP when using them in a client. For providers that don’t, an add-on such as TorBirdy in Thunderbird can provide a similar effect.

It must be noted that Office 365 admins can disable this feature to remove the header in any way. They have the option to create a new rule in the Exchange admin center.

An alternative option is to mask your IP address by using a VPN tool. Otherwise, anyone can trace your location if you are using the web client to send e-mails.

LEARN HOW TO HIDE YOUR IP ADDRESS FROM THESE GUIDES:

ncG1vNJzZmivmaOxsMPSq5ypp6Kpe6S7zGimn56ZmLJuf5VuZLCdkqKuqriMoqdmpJWWuHA%3D