If you have been trying to use Office 365’s webmail service as a buffer for your IP address, your efforts may have been futile. When sending emails using the service, your IP address is automatically added as a header to the email.
Many people choose webmail hosts to reply to emails, as they protect your IP address. With phishing attacks, ransomware, and cybercrime campaigns running rampant, protecting your IP address and your information online is vital. However, it turns out some of these webmail services aren’t actually doing anything.
According to a report on Cyware, “when sending out emails via Office 365 webmail, the service will inject an additional header into the email called ‘x-originating-ip’ that contains the IP addresses of the sender.”
Microsoft removed this feature from its other web service Hotmail, for safety and security reasons. But unfortunately, Microsoft left the feature in Office 365 so admins could easily retrieve the IP addresses of emails sent to their networks.
Furthermore, they state that if you want to protect yourself online using this service, then you have to take extra steps to protect yourself, including using a VPN and using Tor browser—which uses a proxy to mask your true IP address.
On one hand, protecting your IP address can be useful, as it masks your location and other sensitive information about your network. On the other, for the purposes of security and auditing emails in the network, it can be useful to have access to a sender’s IP address. Whether or not to keep this feature enabled is dependent on your and your organization’s specific needs.
Sources:
- https://cyware.com/news/microsoft-office-365-webmail-exposes-ip-addresses-while-sending-emails-cede7beb
- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-365-webmail-exposes-users-ip-address-in-emails/
- https://answers.microsoft.com/en-us/outlook_com/forum/all/i-want-to-know-the-ip-the-sender-used-on-the-email/f3de6d36-c9c4-4d2f-82b9-bcabbd6f1ebc