For all Microsoft Office 365 users who regularly use its webmail, yet expect to remain veiled, here is an irony. The tool may not be a good option for you if you wish to keep your IP addresses hidden from recipients. The Microsoft Office 365 Webmail interface exposes senders’ local IP addresses to recipients.
Office 365 Webmail Exposes IP Address
Reportedly, the Microsoft Office 365 Webmail interface has a feature that exposes senders’ local IP address to the recipient. It surfaced online after pentester Jason Lang shared about it in his tweet.
Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. 😁 pic.twitter.com/vjsVhwJEV3
— Jason Lang (@curi0usJack) July 24, 2019
It turned out that the Outlook 365 GUI exposes the original IP of the device via email headers.
Following his tweet, BleepingComputer further detailed analysis of the feature. As revealed in their blog post, the app exposes the senders’ IP address via email header.
When sending an email via Office 365 (https://outlook.office365.com/), the service will inject an additional mail header into the email called x-originating-ip that contains the IP address of the connecting client, which in this case is your local IP address.
This disturbing privacy breach happens only with Office 365 webmail. Other services like Yahoo, Gmail, or even Outlook.com do not exhibit this behavior.
Nonetheless, this IP address exposure isn’t a glitch or a bug; rather, a deliberate move by Microsoft. The tech giant removed this feature from Hotmail back in 2013 as a step towards ensuring users’ privacy. However, for Office 365, the feature remained active to facilitate Admins in analyzing emails sent to their organization, and to detect the senders’ location in case of account hacks.
Using Private Browser Or VPN
As there seems no possibility for a fix to the IP address exposure in the near future, users who wish to hide their IP addresses must look for workarounds. Some feasible options to achieve the goal include the use of VPN or secure browsers such as Tor or Brave. Doing so masks your IP address and replaces it with the one offered by the service.
Besides, the Office 365 Admins can choose to turn this feature off by creating a new rule in the Exchange admin center.
Let us know your thoughts in the comments.