Microsoft Office 365 Webmail Shows Senders’ IP Addresses In Email Headers

For all Microsoft Office 365 users who regularly use its webmail, yet expect to remain veiled, here is an irony. The tool may not be a good option for you if you wish to keep your IP addresses hidden from recipients. The Microsoft Office 365 Webmail interface exposes senders’ local IP addresses to recipients.

Office 365 Webmail Exposes IP Address

Reportedly, the Microsoft Office 365 Webmail interface has a feature that exposes senders’ local IP address to the recipient. It surfaced online after pentester Jason Lang shared about it in his tweet.

It turned out that the Outlook 365 GUI exposes the original IP of the device via email headers.

Following his tweet, BleepingComputer further detailed analysis of the feature. As revealed in their blog post, the app exposes the senders’ IP address via email header.

When sending an email via Office 365 (https://outlook.office365.com/), the service will inject an additional mail header into the email called x-originating-ip that contains the IP address of the connecting client, which in this case is your local IP address.

This disturbing privacy breach happens only with Office 365 webmail. Other services like Yahoo, Gmail, or even Outlook.com do not exhibit this behavior.

Nonetheless, this IP address exposure isn’t a glitch or a bug; rather, a deliberate move by Microsoft. The tech giant removed this feature from Hotmail back in 2013 as a step towards ensuring users’ privacy. However, for Office 365, the feature remained active to facilitate Admins in analyzing emails sent to their organization, and to detect the senders’ location in case of account hacks.

Using Private Browser Or VPN

As there seems no possibility for a fix to the IP address exposure in the near future, users who wish to hide their IP addresses must look for workarounds. Some feasible options to achieve the goal include the use of VPN or secure browsers such as Tor or Brave. Doing so masks your IP address and replaces it with the one offered by the service.

Besides, the Office 365 Admins can choose to turn this feature off by creating a new rule in the Exchange admin center.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients