Office 365 Webmail injects your IP address in email headers

by Radu Tyrsina
Radu Tyrsina
Radu Tyrsina
CEO & Founder
Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time). For most of the kids of... read more
Affiliate Disclosure
Office 365 Webmail leaks your IP addresses in emails
A message from our partner

To fix Windows PC system issues, you will need a dedicated tool

  • Download Fortect and install it on your PC
  • Start the tool's scanning process to look for corrupt files that are the source of your problem
  • Right-click on Start Repair so the tool could start the fixing algorythm
Download from Fortect has been downloaded by 0 readers this month, rated 4.4 on TrustPilot

Do you know that when you use the webmail component of Office 365, you are also sending your IP address to other people?

That’s because the header your emails contains your IP address when you are using the web-based Outlook 365 service. Maybe Microsoft has a specific reason for automatically embedding the IP addresses.

However, the company has never informed Outlook 365 users about it. You should not ignore this issue because it is a major security and privacy risk for all of us.

Jason Lang recently identified this issues and shared the news on Twitter.

We can not say that it was an accidental leak from Microsoft. Obviously, Microsoft was deliberately injecting your IP address in the emails.

Looking for a tool to hide your IP address? Here are the best options for Windows 10.

IT administrators use the sender’s IP address to search for particular emails. The IP address helps them to recover a hacked account by tracing the location of the sender.

All of your emails that you are sending through have a header field called x-originating-ip.

By the look of things, Microsoft has been using this feature from the past few years. It is an old change that was already included in Outlook 365.

Twitter ser @pranq5t3r who replied to the initial tweet continued the discussion:

Probably also worth noting that this happens in email clients with a provider that doesn’t mask/strip IP. Google, for example, gives an internal IP when using them in a client. For providers that don’t, an add-on such as TorBirdy in Thunderbird can provide a similar effect.

Office 365 cretae new rule

It must be noted that Office 365 admins can disable this feature to remove the header in any way. They have the option to create a new rule in the Exchange admin center.

An alternative option is to mask your IP address by using a VPN tool. Otherwise, anyone can trace your location if you are using the web client to send e-mails.


This article covers:Topics: