Microsoft seems to have taken its recent pivot and push toward “openness and community” a little too literally: it has emerged that the company’s Office 365 web email interface is sharing senders’ IP addresses with their recipients.
Microsoft’s products are historically notorious for their flimsy security, so the leaky email headers in Office 365 should come as no surprise. In fact, this should not be a surprise at all, as Microsoft is purposefully broadcasting their users’ IP addresses
It’s a feature, not a bug, designed by Microsoft to give administrators the right to “perform searches for emails based on the sender’s IP address.”
BleepingComputer, who first reported about this, said that the product being geared toward enterprise users was the reason Microsoft left the feature in Office 365’s web interface – even after masking the X-Originating IP addresses from Hotmail in 2013, for privacy and security reasons.
But privacy and security have taken the backseat here – because apparently the feature could be useful in tracking down the sender in case their email account had been hacked. It’s now up to users to decide whether that’s a fair and acceptable trade-off.
The practice of inserting the sender’s IP address in the header is by no means standard practice for webmail: the article notes that Microsoft’s own Outlook email suite doesn’t do this, nor does Google’s Gmail, among others.
And probably because users are not accustomed to inspecting the header portion of their emails – the inclusion of their IP addresses in the Office 365’s webmail has been sitting there for a while without garnering much attention.
Penetration tester Jason Lang recently tweeted about it, and advised those concerned about Microsoft’s policy around revealing their IP addresses to circumvent it by using Brave as their browser, a VPN service, or Tor, which provide users with anonymity online.
Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. 😁 pic.twitter.com/vjsVhwJEV3
— Jason Lang (@curi0usJack) July 24, 2019
There’s another way to stop including IP addresses in email headers: by asking administrators to disable the feature in the Exchange admin center.
In any case, as BleepingComputer suggests, those who think using web-based email interfaces improves their privacy and security will have to think again. At least if their email of choice is Office 365.