Hi all, since 28/04 we are observing a huge amount of requests coming from Microsoft ips to our link tracking system. In the emails we send we override al links to point to our link tracking system, but we are seeing that many tracking requests are coming with the query string parameters obfuscated using some sort of mixed caesar cipher with different shifts. Sometime we observe rot13 encoding other times different shifts and encodings.
At first we think about some malicious activity but the strange thing is that almost all ips the requests are coming from are Microsoft ips (more than 1600 ips) and in some request we were able to decode we see correct parameters and legit urls. I'm starting to think that this is not a malicious activity but some kind of anonymization/url checking action from some Microsoft or anti Malware system. Those are some example of the encoded parameters p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4 /ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/ zbeffduvfey.vg/ the last part (starting with uggcf://) is the final destination url the clicker will be redirected to. Sometime we are able to decode them, for example uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg applying rot13 twice give https://www.instagram.com/moreschi_srl/?nl=vg Any idea? Ugo
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
