On Tue, 7 May 2024, Vitali Quiering wrote:
We've identified an IP address, notably tied to Microsoft (20.203.218.75), executing thousands of hits on our URLs almost immediately after dispatching a newsletter. However, the peculiar part is the variation in the hash segments they're accessing. The URL queries we've seen look something like https://sub.customerdomain.tld/info/Mjl2Y3N6ej, which, upon decoding, starts off with a familiar segment 29vcsz% but diverges significantly right after.
Microsoft performs link scanning. This seems like they are attempting to check for mutated patterns as well, something like John the Ripper.
/mark _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop