Ask HN: Are business IP addresses confidential information?
In O365, I have strict spam filtering policies and safe links enabled. One of the features of this service is quarantining suspicious email. In this quarantine, you can review emails and delete or release them and mark sender as safe as part of the workflow. In this quarantine, one of the tools is a “preview” where you can see the original email. I noticed that despite lack of warnings about dangers of viewing the original emails, this preview was rendering images that are embedded in the emails. Even though safelinks is enabled and the src endpoints reflect this in the code, I wondered how the images were being served. So I set up a test to send myself an email designed to get caught and quarantined with an embedded image referring an image on a server I have in the cloud. I monitored the http logs as I opened the quarantined email preview and sure enough my local IP address appeared in the http log.
We are a small firm in the high net-worth financial services industry and am concerned that my local IP could be leaked this way. A determined attacker could theoretically use this avenue to find our local office IP to start attacking directly.
I reported to Microsoft and they replied that ip addresses aren’t confidential info and as such no action to fix would be made.
Am I just paranoid here and should IP addresses be considered confidential information in this day and age?
3 comments
[ 2.8 ms ] story [ 14.7 ms ] thread