Clicky

Subscribe for premier reporting on free speech, privacy, Big Tech, media gatekeepers, and individual liberty online.

Outlook for web leaks your location to whoever you send an email to

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Microsoft seems to have taken its recent pivot and push toward “openness and community” a little too literally: it has emerged that the company’s Office 365 web email interface is sharing senders’ IP addresses with their recipients.

Microsoft’s products are historically notorious for their flimsy security, so the leaky email headers in Office 365 should come as no surprise. In fact, this should not be a surprise at all, as Microsoft is purposefully broadcasting their users’ IP addresses

It’s a feature, not a bug, designed by Microsoft to give administrators the right to “perform searches for emails based on the sender’s IP address.”

BleepingComputer, who first reported about this, said that the product being geared toward enterprise users was the reason Microsoft left the feature in Office 365’s web interface – even after masking the X-Originating IP addresses from Hotmail in 2013, for privacy and security reasons.

But privacy and security have taken the backseat here – because apparently the feature could be useful in tracking down the sender in case their email account had been hacked. It’s now up to users to decide whether that’s a fair and acceptable trade-off.

The practice of inserting the sender’s IP address in the header is by no means standard practice for webmail: the article notes that Microsoft’s own Outlook email suite doesn’t do this, nor does Google’s Gmail, among others.

And probably because users are not accustomed to inspecting the header portion of their emails – the inclusion of their IP addresses in the Office 365’s webmail has been sitting there for a while without garnering much attention.

Penetration tester Jason Lang recently tweeted about it, and advised those concerned about Microsoft’s policy around revealing their IP addresses to circumvent it by using Brave as their browser, a VPN service, or Tor, which provide users with anonymity online.

Click here to display content from X.
Learn more in X’s privacy policy.

There’s another way to stop including IP addresses in email headers: by asking administrators to disable the feature in the Exchange admin center.

In any case, as BleepingComputer suggests, those who think using web-based email interfaces improves their privacy and security will have to think again. At least if their email of choice is Office 365.

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Read more

A skyscraper with the Google logo on top, emerging from a sea of clouds at sunset.

Google’s Empire Cracks

As Google faces mounting antitrust scrutiny, its legal and PR battles intensify, with potential remedies threatening to reshape the tech giant’s iron grip on search, Android, and digital advertising.

Reclaim The Net Logo

Join the pushback against online censorship, cancel culture, and surveillance.

Already a member? Login.

Share