Cloudflare IP address triggering malicious website alert with Microsoft Azure

Our only website that is running it’s traffic through Cloudflare is suddenly triggering a malicious website alert.

Is it possible to cycle out the current IP address that Cloudflare has assigned to our the site?

That alert is most likely not related to your IP address but your domain name.

Exactly what sandro said, website reputation is based on the domain/hostname only, neither Google safe browsing nor Microsoft smartscreen use the IP address to show malicious website warnings. Cycling the IP address won’t help your website’s reputation and it won’t remove the warning.

Comodo cWatch, Chrome, Google Search Console all giving the website a clean bill of health.

MX Toolbox showing DNS warnings: “SOA Serial Number Format is invalid” and SOA Expire Value out of recommended range".

Website has been running through Cloudflare for over a year. No issues up until 10/18/2018.

Going to add:

This is a demo page for an unsafe website: https://demo.smartscreen.msft.net/phishingdemo.html (visit in edge or Internet Explorer) You should be able to click “more information”, then “Report that this site does not contain threats”.

This will take you to a new page where you can plead your case about how you know the website is safe.

If this is not the warning your website is experiencing, post a picture or post the wording it’s using so we can better assist.

1 Like

The are regular warnings, you referred to a malware alert.

Right. Azure security is giving us a malicious website alert when someone in our company goes to this website. We created a ticket to see if we can get more information and find it our Cloudflare protection is suddenly giving us a false positive.

MX Toolbox is showing us the DNS warnings: “SOA Serial Number Format is invalid” and SOA Expire Value out of recommended range".

Thanks for your replies thus far.

The DNS warnings are a different issue and not all that relevant.

Can you post a screenshot of that alert?

1 Like

Capture

C2 is a “Command and Control”

That is a screenshot from the browser?

Can you post the URL in question?

There is no browser warning. I would rather not name the website. I hope you understand.

Anyone have any knowledge regarding a “Command and Control” threats from an IP address?

The ip address that is getting flagged is a Cloudflare IP.

You mentioned it appears when people visit that site. Where else does it appear if not in the browser?

The warning appears in our Azure security dashboard.

I am not that familiar with it. What kind of warnings show up there and how do they get there?

The warning is a “IndicatorThreatType : C2”.

It shows up when someone on our network visits the website in question.

The website is yours, I understood. So, do you have an internal proxy that filters all web requests and logs that entry when people visit the site in question?

Yes. We can’t find anything unusual, which is why I’m concerned it may be the IP address that Cloudflare has currently assigned to it.

I am afraid I am not familiar with what the particular security solution might use for its alerts and even though I doubt it is specific to the IP address I could only advise to contact Cloudflare’s support.