A new report has surfaced online exposing a surprising revelation about the web version of the Microsoft Office 365 email. According to the report revealed that Office 365 web app is leaking the IP addresses of its users though email. To be clear, the app is injecting the local IP address of the users inside the emails under an extra header. The report also highlighted that Office 365 is the only webmail service to inject the local IP address in emails. It even went ahead to confirm this by testing the webmail interfaces from Outlook.com, AOL, Yahoo, Gmail, and Office 365.
Microsoft Office 365 webmail IP exposing details
According to a comprehensive report by Bleeping Computer, Office 365 webmail users are exposing their IP addresses through email. Microsoft Office 365 does not inform its users about this. Digging deeper, the report revealed that the webmail app injects the IP address under the “x-originating-ip” header in the email. Interestingly, the report also noted that this is not really a bug but an enterprise level feature. The report revealed that Microsoft removed the header from Hotmail back in 2013. Before 2013, the “x-originating-ip” tag was present in the official consumer version of Hotmail. Microsoft clarified that it removed this tag to improve “the online safety and security of its users”.
Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. ? pic.twitter.com/vjsVhwJEV3
— Jason Lang (@curi0usJack) July 24, 2019
Not a bug but a feature
The report stated that Microsoft intentionally left this header in the enterprise Microsoft Office 365 webmail. It added that this allows IT administrators to track the origin of the email sent to their organization. This is particularly helpful in instances where an account has been hacked. The report also noted that Office 365 administrators can disable this header if they don’t use this feature. Disabling the header across the organization is as easy as setting a new rule in the Exchange administrator center.
It is quite easy to thing of this header as a threat to privacy and security of any Office 365 users. However, the ability to check the origin of the email comes handy especially in case of enterprise security and audit. The header provides a straight-forward way to administrators to locate any compromised devices and remotely disable them or lock the account out. If you are an Office 365 user and your IT admin has not disabled the feature then you can use a VPN to maintain your privacy. However, we don’t recommend you to do that because of reasons mentioned above.