Digging deeper, the report reveals that the webmail application injects the IP address below the email’s “x-originating-IP” header. Interestingly, the report also noted that this is not really a bug but an enterprise-level feature.

Microsoft Office 365 web-based e-mail is leaking out IP addresses in e-mails |TechNews


An online report has been published in an amazing release about the web version of the Microsoft Office 365 email. The report reveals that the Office 365 Web App is leaking its users’ IP addresses via email. Apparently, the app is injecting local IP addresses of users inside email under the additional heading. The report highlighted that Office 365 is the only webmail service that injects local IP addresses into emails. It even went ahead to confirm it by checking the webmail interfaces of Outlook.com, AOL, Yahoo, Gmail and Office 365.


Also Read: | Microsoft Blocks Windows 10 May 2019 Update on some Intel PCs

Microsoft Office 365 Webmail IP Exposing Details :

According to an extensive report by Bleeping Computer, Office 365 webmail users are publishing their IP addresses via email. Microsoft Office 365 does not notify its users. To Digging deeper, the report reveals that the webmail application injects the IP address below the email’s “x-enthusiast-IP” header. Interestingly, the report also noted that this is not actually a bug but an enterprise-level feature. The report revealed that Microsoft removed the title from the Hotmail in 2013. The “X-Originating-IP” tag appeared in the official customer version of Hotmail before 2013. Microsoft has made it clear that it has removed this tag to improve “online safety and security of its users”.

Not a bug but a feature :

The report noted that Microsoft intentionally left this title in the Microsoft Office 365 webmail. It added that it helps IT administrators track the source of email sent to their organization. This is especially helpful in instances where the account is hacked. The report also states that Office 365 administrators will be able to disable this title if they do not use this feature. Disabling titles across organizations is as easy as setting a new rule in the Exchange Admin Center


It’s pretty easy to think of this title as a threat to the privacy and security of any Office 365 user. However, the ability to check the source of the email is especially effective in enterprise security and monitoring. The title provides administrators with a straight-forward way to detect any compromised device and remotely disable them or lock the account. If you are an Office 365 user and have not disabled your IT admin feature, you can use a VPN to maintain your privacy. However, we do not recommend you do this for the reasons stated above.

For the latest Technews and reviews Follow on FacebookInstagramTwitterPinterest