Microsoft Office 365 webmail exposes IP addresses while sending emails

• When sending out emails via Office 365 webmail, the service will inject an additional header into the email called “x-originating-ip” that contains the IP addresses of the sender.
• If you do not want your IP address to be exposed while using Office 365's webmail interface, then you have to connect to the webmail using a VPN or Tor.

What is the issue?

Microsoft Office 365 webmail exposes IP addresses to the recipients while sending out emails. This is because, while sending out emails using Office 365 webmail, your local IP address will be injected into the message as an extra mail header.

The big picture

When sending out emails via Office 365 webmail, the service will inject an additional header into the email called “x-originating-ip” that contains the IP addresses of the sender. The additional header looks something like the example given below.

“authentication-results: spf=none (sender IP is )
smtp.mailfrom=test@example.com
x-originating-ip: [23.xx.xx.xx]
x-ms-publictraffictype: Email”

BleepingComputer tested the webmail interfaces for Gmail, Yahoo, AOL, Outlook.com, and Microsoft Office 365, and found out that only Office 365 injected users’ local IP address while using the webmail.

How to prevent this from happening?

If you do not want your IP address to be exposed while using Office 365's webmail interface, then you have to connect to the webmail using a VPN or Tor. This will cause the services' IP address to be injected into the email rather than the users’ local one.

Worth noting

Microsoft has removed this “ x-originating-ip” header field in 2013 from Hotmail for security and privacy reasons. However, this header has been intentionally left in Office 365 for enterprise, so that admins could search for email that has been sent to their organization from a particular IP address. This header also helps in security and auditing purposes, as well as for finding the location of a sender in the event an account being hacked.

Nevertheless, admins who do not want this header can remove it by creating a new rule in the Exchange admin center.

The bottom line

If you have been using the Microsoft Office 365 webmail interface to hide your IP address while sending out emails, remember that you are not hiding anything.