Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

2023-05-02 Thread Tom I via mailop

On 02/05/2023 18:18, Michael Peddemors via mailop wrote:
Do you have a sampling of the IPs, and we can see if it correlates with 
some of our datasets?


We saw similar requests earlier this year, around February and March. 
One of our applications generates URLs in the form "...?key=chars>&n=" - the name is simply to make the URLs less 
opaque when users handle lots of links at once, but it also served to 
make it a bit more obvious when the names are gibberish in the logs.


A few examples of the bad requests we saw, slightly anonymised:

key=emxxeigu&n=uhtu-ubee -> rot13 -> rzkkrvth&n=hugh-horr
key=czxkeyje&n=avdxl -> rot13 -> pmkxrlwr&n=niqky
key=xzfadaut&n=dybef -> rot13 -> kmsnqnhg&n=qlors

It's not quite fully rot13 as Ugo mentioned, in our case the parameter 
names were untouched while the values were not-quite-rot13'd, in the 3 
examples above the n= should have been "Hugh Horr", "Nicky", and "Clare" 
respectively.


We suspect somebody sent a number of links via email using Outlook or 
Office365, or uploaded the links in a spreadsheet to Office365, or 
attached them in an email.


The requests came from 40.94.90.{8,34,46,48,75,77}, 40.94.31.14, 
40.94.97.26, 40.94.87.69 - unclear if they're users of Azure or MS 
infrastructure itself.


None of the requests posed a security issue as the URL keys didn't match 
and so nothing of value was returned, however it's still curious what it 
is and why it happens only to some links!


Happy to share more information off-list if this is useful.

Tom


Sure would be nice if the big guys, did a better job of SWIP on their 
ranges, so we know which ones they operate, vs the ones they rent.


On 2023-05-02 07:34, Abuse Department - Advision via mailop wrote:

Hi all,

since 28/04 we are observing a huge amount of requests coming from 
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link 
tracking system, but we are seeing that many tracking requests are 
coming with the query string parameters obfuscated using some sort of 
mixed caesar cipher with different shifts. Sometime we observe rot13 
encoding other times different shifts and encodings.


At first we think about some malicious activity but the strange thing 
is that almost all ips the requests are coming from are Microsoft ips 
(more than 1600 ips) and in some request we were able to decode we see 
correct parameters and legit urls.


I'm starting to think that this is not a malicious activity but some 
kind of anonymization/url checking action from some Microsoft or anti 
Malware system.


Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/zbeffduvfey.vg/
 

the last part (starting with uggcf://) is the final destination url 
the clicker will be redirected to. Sometime we are able to decode 
them, for example


uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg 




Any idea?

Ugo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

2023-05-02 Thread Michael Peddemors via mailop
Do you have a sampling of the IPs, and we can see if it correlates with 
some of our datasets?


Sure would be nice if the big guys, did a better job of SWIP on their 
ranges, so we know which ones they operate, vs the ones they rent.


On 2023-05-02 07:34, Abuse Department - Advision via mailop wrote:

Hi all,

since 28/04 we are observing a huge amount of requests coming from 
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link tracking 
system, but we are seeing that many tracking requests are coming with 
the query string parameters obfuscated using some sort of mixed caesar 
cipher with different shifts. Sometime we observe rot13 encoding other 
times different shifts and encodings.


At first we think about some malicious activity but the strange thing is 
that almost all ips the requests are coming from are Microsoft ips (more 
than 1600 ips) and in some request we were able to decode we see correct 
parameters and legit urls.


I'm starting to think that this is not a malicious activity but some 
kind of anonymization/url checking action from some Microsoft or anti 
Malware system.


Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/zbeffduvfey.vg/
 

the last part (starting with uggcf://) is the final destination url the 
clicker will be redirected to. Sometime we are able to decode them, for 
example


uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg 




Any idea?

Ugo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

2023-05-02 Thread Daniel K. via mailop
On 5/2/23 14:34, Abuse Department - Advision via mailop wrote:
> I'm starting to think that this is not a malicious activity but some
> kind of anonymization/url checking action from some Microsoft or anti
> Malware system.
> 
> Those are some example of the encoded parameters
> 
> [...]
> 
> uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
> applying rot13 twice give
> https://www.instagram.com/moreschi_srl/?nl=vg

Surely, rot13 was only applied once... :) except for the 'vg' part.

There are many strange things happening on line, and only the originator
can answer as to intent.


We once came across a distant cousin of who you describe here, rot13
applied to HTTP requests.

So, instead of sending:

GET /url HTTP/1.1

they sent us:

TRG /hey UGGC/1.1

This failed, of course, but someone suggested handling the TRG verb, and
wrapping the response in rot13, to see what would happen.

We never did.


Daniel K.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


[mailop] Requests with mixed caesar cipher encoding from microsoft ips

2023-05-02 Thread Abuse Department - Advision via mailop
Hi all,

since 28/04 we are observing a huge amount of requests coming from
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link tracking
system, but we are seeing that many tracking requests are coming with the
query string parameters obfuscated using some sort of mixed caesar cipher
with different shifts. Sometime we observe rot13 encoding other times
different shifts and encodings.

At first we think about some malicious activity but the strange thing is
that almost all ips the requests are coming from are Microsoft ips (more
than 1600 ips) and in some request we were able to decode we see correct
parameters and legit urls.

I'm starting to think that this is not a malicious activity but some kind
of anonymization/url checking action from some Microsoft or anti Malware
system.

Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/
zbeffduvfey.vg/

the last part (starting with uggcf://) is the final destination url the
clicker will be redirected to. Sometime we are able to decode them, for
example

uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg


Any idea?

Ugo
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop