Jan 22 2017 08:14 PM - edited Jan 31 2017 11:20 PM
Jan 22 2017 08:14 PM - edited Jan 31 2017 11:20 PM
I’m not sure if this is the right place for this kind of post, but I think it warrants the attention of whoever is in charge of Office 365 Message Encryption (OME): OME doesn’t remove Exchange X-header fields from encrypted messages, which may expose private information.
OME delivers an encrypted message as an HTML attachment containing a FORM field called rpmsg, whose value is a MIME text (which further contains an attachment message.rpmsg, the encrypted message itself). rpmsg contains X-header fields used internally by Exchange, notably
* X-MS-Exchange-Organization-BCC, the list of BCC’d recipients;
* X-MS-Exchange-Organization-OriginalClientIPAddress, the client’s connecting IP address (some organizations consider it private and also remove X-Originating-IP from outbound messages);
* X-MS-Exchange-Organization-MessageSent24, apparently the number of emails sent within a moving 24-hour window.
(Screenshot: https://i.imgur.com/HQeTY8W.jpg)
I tried to contact the Exchange Team on Twitter previously, but haven’t heard back yet.
Update I got an update from Microsoft today that this issue will be fixed in a future version of OME, although no release date was given.
Jan 22 2017 09:00 PM
Jan 23 2017 02:12 AM
Jan 23 2017 03:58 PM