Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Office 365 Webmail injects your IP address in email headers

2 min. read

Updated onApril 27, 2023

updated onApril 27, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Do you know that when you use the webmail component ofOffice 365, you are also sending yourIP addressto other people?

That’s because the header youremailscontains yourIP addresswhen you are using the web-based Outlook 365 service. Maybe Microsoft has a specific reason for automatically embedding theIP addresses.

However, the company has never informed Outlook 365 users about it. You should not ignore this issue because it is a major security and privacy risk for all of us.

Jason Lang recently identified this issues and shared the news on Twitter.

Friendly privacy/opsec reminder: If you use the Outlook 365 web GUI, the originating IP of the connecting device (e.g. your home IP) is smuggled into new message headers. Super easy to work around with Brave browser & new Tor window. IP rotates with each new session. ?pic.twitter.com/vjsVhwJEV3

We can not say that it was an accidental leak from Microsoft. Obviously, Microsoft was deliberately injecting yourIP addressin theemails.

Looking for a tool to hide your IP address? Here are the best options for Windows 10.

IT administrators use the sender’sIP addressto search for particularemails. TheIP addresshelps them to recover a hacked account by tracing the location of the sender.

All of youremailsthat you are sending through https://outlook.office365.com have a header field called x-originating-ip.

By the look of things, Microsoft has been using this feature from the past few years. It is an old change that was already included in Outlook 365.

Twitter ser @pranq5t3r whorepliedto the initial tweet continued the discussion:

Probably also worth noting that this happens in email clients with a provider that doesn’t mask/strip IP. Google, for example, gives an internal IP when using them in a client. For providers that don’t, an add-on such as TorBirdy in Thunderbird can provide a similar effect.

It must be noted thatOffice 365admins can disable this feature to remove the header in any way. They have the option to create a new rule in the Exchange admin center.

An alternative option is to mask yourIP addressby using a VPN tool. Otherwise, anyone can trace your location if you are using the web client to sende-mails.

LEARN HOW TO HIDE YOUR IP ADDRESS FROM THESE GUIDES:

More about the topics:IP address,privacy,windows 10

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Radu Tyrsina