Microsoft
16k followers
reddit.com

Office 365 leaking BCC domain name

Originally reported to Microsoft on 2020-06-24. After many attempts in getting Microsoft to acknowledge / fix the problem, they fail to see the issue. I don't know why it's so hard for them to see the issue, but they've had their time. Now you should know about this and protect your recipient's privacy. What's the problem? When sending an e-mail through Office 365 without a To address, but multiple Bcc addresses, the domain of the first Bcc recipient is included in every e-mail toall the Bcc recipients. Example Take for example this e-mail: From: me@myoffice365domain.com To: [empty] Cc: [empty] Bcc: someone@amnesty.com, someoneelse@newyorktimes.com Subject: Some information you'd be interested in... The e-mail received by someoneelse@newyorktimes.com will include the following e-mail header: authentication-results: amnesty.com; dkim=none (message not signed) header.d=none;amnesty.com; dmarc=none action=none header.from=mydomain.com; Thus: the domain name of the first Bcc recipient (amnesty.com) is disclosed to the second Bcc recipient (someoneelse@newyorktimes.com). This is obviously a serious privacy issue. The relevant part of the spec is defined inRFC5322 section 3.6.3 : The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message. Note: certain SMTP servers will overwrite this header when processing inboud messages. This still means that the Bcc is disclosed (to the SMTP server), but possibly not visible to the end-user. So far I've tested with Google Apps as the recipient, and it doesn't overwrite this header, and thus disclosing the BCC's domain name. Microsoft's response According to Microsoft Office 365 Support, this is correct behaviour: As we discussed over the phone that this behavior is normal and cannot be changed as this header is being added in all messages by default. (I do not understand how this can either be correct, nor desired behaviour). Additionally I tried reporting this to Microsoft Security Response Center (MSRC). Their response was that they were unable to reproduce the issue: Thank you for reporting this issue to the Microsoft Security Response Center (MSRC). Unfortunately we were unable to reproduce your findings following the steps outlined in your report. As such, this email thread has been closed and will no longer be monitored. I've tried on multiple attempts to show them how to reproduce. Basically giving them instructions on how to send e-mail using their own products. They kept closing the issue with the above response. What can you do? As an admin, you should add the following rule to remove such headers on outbound e-mail: * Open Exchange Admin Center * Go to mail flow, rules * Add new rule: * Apply to all messages * Remove header: Authentication-Results.