Microsoft's web-based Outlook 365 is leaking users' IP addresses in emails
Anyone using Office 365's webmail component to send emails is unwittingly sharing their IP address with the people they communicate with.
The web-based Outlook 365 inserts the sender's IP address into the header of an email, which makes it stand apart from other webmail services such as Gmail -- and even Microsoft's own Outlook.com. While the injected IP address serves something of a purpose, it's also a privacy and security risk that many users may not be aware of.
- Privacy concerns raised that SmartScreen in Edge shares browsing history with Microsoft
- German schools ban Microsoft Office 365 because of privacy concerns
- FTC to fine Facebook $5 billion for Cambridge Analytica privacy violations
The inclusion of IP addresses was a conscious decision by Microsoft. It is a feature that can be used by administrators to perform searches for emails based on the sender's IP address. It means that any email sent via https://outlook.office365.com includes a header field labeled x-originating-ip.
While not a recent change to the way Outlook 365 works, the issue was recently brought to light by penetration tester Jason Lang on Twitter, and shared by Bleeping Computer:
Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. ? pic.twitter.com/vjsVhwJEV3
— Jason Lang (@curi0usJack) July 24, 2019
As Jason suggests, there are ways around this -- as you might well want to avoid sharing your home IP address with people you send emails to. Having a friendly word with your Office 365 admin is one option, as they can disable the feature by creating a new rule in the Exchange admin center. Alternatively, you can make use of Tor or a VPN tool to mask your real IP address.