Do you know that when you use the webmail component of Office 365, you are also sending your IP address to other people?
That’s because the header your emails contains your IP address when you are using the web-based Outlook 365 service. Maybe Microsoft has a specific reason for automatically embedding the IP addresses.
However, the company has never informed Outlook 365 users about it. You should not ignore this issue because it is a major security and privacy risk for all of us.
Jason Lang recently identified this issues and shared the news on Twitter.
We can not say that it was an accidental leak from Microsoft. Obviously, Microsoft was deliberately injecting your IP address in the emails.
IT administrators use the sender’s IP address to search for particular emails. The IP address helps them to recover a hacked account by tracing the location of the sender.
All of your emails that you are sending through https://outlook.office365.com have a header field called x-originating-ip.
By the look of things, Microsoft has been using this feature from the past few years. It is an old change that was already included in Outlook 365.
Twitter ser @pranq5t3r who replied to the initial tweet continued the discussion:
Probably also worth noting that this happens in email clients with a provider that doesn’t mask/strip IP. Google, for example, gives an internal IP when using them in a client. For providers that don’t, an add-on such as TorBirdy in Thunderbird can provide a similar effect.
It must be noted that Office 365 admins can disable this feature to remove the header in any way. They have the option to create a new rule in the Exchange admin center.
An alternative option is to mask your IP address by using a VPN tool. Otherwise, anyone can trace your location if you are using the web client to send e-mails.
LEARN HOW TO HIDE YOUR IP ADDRESS FROM THESE GUIDES: