Microsoft's web-based Outlook 365 is leaking users' IP addresses in emails

Outlook 365

Anyone using Office 365's webmail component to send emails is unwittingly sharing their IP address with the people they communicate with.

The web-based Outlook 365 inserts the sender's IP address into the header of an email, which makes it stand apart from other webmail services such as Gmail -- and even Microsoft's own Outlook.com. While the injected IP address serves something of a purpose, it's also a privacy and security risk that many users may not be aware of.

See also:

The inclusion of IP addresses was a conscious decision by Microsoft. It is a feature that can be used by administrators to perform searches for emails based on the sender's IP address. It means that any email sent via https://outlook.office365.com includes a header field labeled x-originating-ip.

While not a recent change to the way Outlook 365 works, the issue was recently brought to light by penetration tester Jason Lang on Twitter, and shared by Bleeping Computer:

As Jason suggests, there are ways around this -- as you might well want to avoid sharing your home IP address with people you send emails to. Having a friendly word with your Office 365 admin is one option, as they can disable the feature by creating a new rule in the Exchange admin center. Alternatively, you can make use of Tor or a VPN tool to mask your real IP address.

Image credit: dennizn / Shutterstock

10 Responses to Microsoft's web-based Outlook 365 is leaking users' IP addresses in emails

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.