This is sort of a general question to see if anyone here has seen or has experience with anything similar to what I am seeing.
Over the last few weeks my company’s website has seen a huge surge in traffic, all from Microsoft’s ASN8075 network. This traffic comes as a result of our daily newsletter to our customers and in nearly every case the URI query parameters have been re-written - the Google Analytics utm_ variables are all made into gibberish and, more annoying, the page= variable that is pretty necessary for our site to function properly has also been re-written, always to a similar nonsense string, for example instead of page=“Register” we see in the request logs page=“Vafgehd” or page=“Eftvfgfe”.
I suspect it’s some kind of automated link scanner - I have created a few firewall in Cloudflare to mitigate this - interestingly if I set the action of the firewall rule to JS Challenge it shows it gets solved nearly 30% of the time but if I change it to a CAPTCHA Challenge then the solved drops nearly zero.
I’m at a loss as to where this is suddenly coming form, if I should be worried about it, if I should be allowing the traffic, filtering it or outright blocking it. Has anyone else ever seen this or have any ideas about what it is or how I should handle it? I’ve reached out to Microsoft’s abuse contact and haven’t heard anything back which doesn’t really surprise me.