Home Cyber Security News Microsoft Office 365 Webmail Shows Senders’ IP Addresses In Email Headers

Microsoft Office 365 Webmail Shows Senders’ IP Addresses In Email Headers

by Abeerah Hashim
Office 365 webmail

For all Microsoft Office 365 users who regularly use its webmail, yet expect to remain veiled, here is an irony. The tool may not be a good option for you if you wish to keep your IP addresses hidden from recipients. The Microsoft Office 365 Webmail interface exposes senders’ local IP addresses to recipients.

Office 365 Webmail Exposes IP Address

Reportedly, the Microsoft Office 365 Webmail interface has a feature that exposes senders’ local IP address to the recipient. It surfaced online after pentester Jason Lang shared about it in his tweet.

It turned out that the Outlook 365 GUI exposes the original IP of the device via email headers.

Following his tweet, BleepingComputer further detailed analysis of the feature. As revealed in their blog post, the app exposes the senders’ IP address via email header.

When sending an email via Office 365 (https://outlook.office365.com/), the service will inject an additional mail header into the email called x-originating-ip that contains the IP address of the connecting client, which in this case is your local IP address.

This disturbing privacy breach happens only with Office 365 webmail. Other services like Yahoo, Gmail, or even Outlook.com do not exhibit this behavior.

Nonetheless, this IP address exposure isn’t a glitch or a bug; rather, a deliberate move by Microsoft. The tech giant removed this feature from Hotmail back in 2013 as a step towards ensuring users’ privacy. However, for Office 365, the feature remained active to facilitate Admins in analyzing emails sent to their organization, and to detect the senders’ location in case of account hacks.

Using Private Browser Or VPN

As there seems no possibility for a fix to the IP address exposure in the near future, users who wish to hide their IP addresses must look for workarounds. Some feasible options to achieve the goal include the use of VPN or secure browsers such as Tor or Brave. Doing so masks your IP address and replaces it with the one offered by the service.

Besides, the Office 365 Admins can choose to turn this feature off by creating a new rule in the Exchange admin center.

Let us know your thoughts in the comments.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid