Microsoft logo

Helping Microsoft find a privacy bug in Exchange

In 2014, I found a privacy bug that affected millions of customers using Microsoft’s Office 365 hosted e-mail service. I discovered that every Exchange mail server powering the service was appending the customer's WAN IP address into the "x-forefront-antispam-report" header of every e-mail that the customer sent out.

What it looked like

Privacy bug in Microsoft Exchange
A screenshot of a WAN IP address (highlighted in yellow) appearing in the "x-forefront-antispam-report" section of an e-mail header.

How I found it

One day I was setting up a domain with Microsoft’s Office 365 hosted e-mail service. After setting up Exchange mail server for my domain, I started to read about how to configure SPF, DMARC, and DKIM e-mail authentication protocols to protect my Exchange mail server from e-mail spoofing attacks.

I decided to start with configuring and testing SPF first and then move on to DMARC and DKIM.

After configuring SPF, I sent a test email through my domain’s mail server to a Gmail address of mine.

After receiving the test e-mail at Gmail, I began to conduct an analysis of the e-mail’s headers to see if SPF was enabled. When analyzing the header, I noticed that the “x-forefront-antispam-report” section contained an IP address with the abbreviation “CLIP”.

Out of curiosity, I decided to see whose IP it was, to my surprise, it was my computer’s WAN IP. I thought to myself, this is most likely a bug.

Reporting it to Microsoft

After discovering this bug, I reported it to Microsoft and suggested that they fix it. After Microsoft received the report, John Castillo, a support escalation engineer contacted me to learn more about the bug, how to reproduce it, and why I felt Microsoft should invest resources into fixing it.

After communicating how to reproduce the bug, I persuaded Microsoft to fix it by submitting a credible threat scenario explaining that the bug was (a) not good for customer privacy, and (b) could put all customers using the Office 365 hosted e-mail service at risk of becoming victims of DDoS attacks, because every time a customer sent an e-mail, their WAN IP address was being exposed in the header.

This bug attracted a lot of discussion within the Exchange product group. A few weeks later, Microsoft agreed with my concern and fixed the bug in Microsoft Exchange 2013 (build 15.00.0898.000).

Below is a copy of my e-mail thread with the folks at Microsoft. If the e-mail thread does not load below, click here to view it.