Microsoft Office 365 Email Reveals Sender’s IP Address

When sending an email through Microsoft Office 365, the service adds an extra header called x-originating-ip to the email message, which contains the IP address of the connecting client, according to the BleepingComputer team.

Journalists tested the interfaces of Gmail, Yahoo, AOL, Outlook.com, and Office 365. None of them, except for Office 365, revealed the local IP address. The only way to hide your IP address is by using a VPN or Tor. In that case, the email will include the IP address of the VPN or Tor service, not the user’s actual address.

Back in 2013, Microsoft removed the x-originating-ip header from Hotmail to improve user security and privacy. However, for the Office 365 solution used by businesses, this header was intentionally kept so administrators can search for emails sent to their organization from a specific IP address. This is especially useful for identifying the sender’s location in case an account is compromised.

Office 365 users who want to hide their IP address can create a new rule in the Exchange admin center to remove the x-originating-ip header. For security reasons, however, it is recommended that users leave this header in place.