While scanning my web server logs, I noticed activity that should not be there. An IP lookup showed the offender to be Microsoft. As I dug around more, I realized what was happening – as I type (or even view) an email message in Outlook 365 in the browser, Microsoft (in this case at IP 18.104.22.168) downloaded the first 20-30k of the link right after the link was validated (making the link clickable and adding the underline).
The video below shows how the information is downloaded in real time from my server as I type a link in a new message.
This behavior occurs when drafting a new message and also when displaying a message with a link. It does not appear to occur in the other Office 365 applications – I tested Word, OneNote and PowerPoint; only Outlook.
I have tested this with multiple links and have seen grabs of anywhere between 20KB and 30KB. I’m not sure why Microsoft needs to perform this deep inspection. You don’t need 20KB+ for link validation. And it is not for virus detection (at least not in real time) – I tested with the safe (for test purposes) EICAR virus and there were no alerts.
What this does mean is if you share what you believe to be a file via a private link/url, Microsoft will do a deep inspection of your email and download the first 20-30KB of that file. I’m not sure what it does with that data afterwards.