Our firewall vendor has published a threat signature update detecting Cobalt Strike potential C2 traffic where the web server returns HTTP response with a after the reason-Phrase e.g. HTTP/1.1 200 OK, instead of HTTP/1.1 200 OK
The signature has matched quite a number of websites which all are proxied through Cloudflare e.g.
www.jag.com.au
Is this something Cloudflare has done deliberately? What is the reason behind that?
Thanks.