Microsoft
Office 365's webmail interface has been accused for exposing the user's IP
address injected into the message as an extra mail header.
This
news comes as a rather major warning to those who resorted to Office 365
webmail interface to hide their IP address, because in reality they are not
concealing anything.
The
service injects an extra mail header into the email called x-originating-IP
that contains the IP address of the connecting client, which for this situation
is the user's local IP address and this all happens when an email is sent via
Office 365 (https://outlook.office365.com/).
BleepingComputer
even came around to test the webmail interfaces for Gmail, Yippee, AOL,
Outlook.com (https://outlook.live.com), and Office 365.
As for
Microsoft, it has removed the x-originating-IP header field in 2013 from
Hotmail to offer their users much better security and privacy.
"Please
be informed that Microsoft has opted to mask the X-Originating IP address. This
is a planned change on the part of Microsoft in order to secure the well-being
and safety of our customers."
However
for Office 365, who 'caters to the enterprise', this header was deliberately
left in so that admins could scan for email that has been sent to their respective
organization from a specific IP address. This was particularly helpful for
finding the location of a sender in the event of an account getting hacked.
And for
Office 365 admins who don't wish to keep utilizing this header, they are
allowed to make another new rule in the Exchange admin center that easily
removes the header.
In any
case, for security and auditing purposes, it is most likely a more shrewd
decision to keep it enabled.
