Office 365 Webmail injects your IP address in email headers

Reading time icon 2 min. read


Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

Office 365 Webmail leaks your IP addresses in emails

Do you know that when you use the webmail component of Office 365, you are also sending your IP address to other people?

That’s because the header your emails contains your IP address when you are using the web-based Outlook 365 service. Maybe Microsoft has a specific reason for automatically embedding the IP addresses.

However, the company has never informed Outlook 365 users about it. You should not ignore this issue because it is a major security and privacy risk for all of us.

Jason Lang recently identified this issues and shared the news on Twitter.

We can not say that it was an accidental leak from Microsoft. Obviously, Microsoft was deliberately injecting your IP address in the emails.


Looking for a tool to hide your IP address? Here are the best options for Windows 10.


IT administrators use the sender’s IP address to search for particular emails. The IP address helps them to recover a hacked account by tracing the location of the sender.

All of your emails that you are sending through https://outlook.office365.com have a header field called x-originating-ip.

By the look of things, Microsoft has been using this feature from the past few years. It is an old change that was already included in Outlook 365.

Twitter ser @pranq5t3r who replied to the initial tweet continued the discussion:

Probably also worth noting that this happens in email clients with a provider that doesn’t mask/strip IP. Google, for example, gives an internal IP when using them in a client. For providers that don’t, an add-on such as TorBirdy in Thunderbird can provide a similar effect.

Office 365 cretae new rule

It must be noted that Office 365 admins can disable this feature to remove the header in any way. They have the option to create a new rule in the Exchange admin center.

An alternative option is to mask your IP address by using a VPN tool. Otherwise, anyone can trace your location if you are using the web client to send e-mails.

LEARN HOW TO HIDE YOUR IP ADDRESS FROM THESE GUIDES:

More about the topics: IP address, privacy, windows 10