Do you have a sampling of the IPs, and we can see if it correlates with
some of our datasets?
Sure would be nice if the big guys, did a better job of SWIP on their
ranges, so we know which ones they operate, vs the ones they rent.
On 2023-05-02 07:34, Abuse Department - Advision via mailop wrote:
Hi all,
since 28/04 we are observing a huge amount of requests coming from
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link tracking
system, but we are seeing that many tracking requests are coming with
the query string parameters obfuscated using some sort of mixed caesar
cipher with different shifts. Sometime we observe rot13 encoding other
times different shifts and encodings.
At first we think about some malicious activity but the strange thing is
that almost all ips the requests are coming from are Microsoft ips (more
than 1600 ips) and in some request we were able to decode we see correct
parameters and legit urls.
I'm starting to think that this is not a malicious activity but some
kind of anonymization/url checking action from some Microsoft or anti
Malware system.
Those are some example of the encoded parameters
p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/zbeffduvfey.vg/
<http://zbeffduvfey.vg/>
the last part (starting with uggcf://) is the final destination url the
clicker will be redirected to. Sometime we are able to decode them, for
example
uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg
<https://www.instagram.com/moreschi_srl/?nl=vg>
Any idea?
Ugo
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
