Valid Microsoft ASN getting flagged as a security risk

Starting around 8 pm Pacific on 26 July, Cloudflare began flagging traffic from a valid Microsoft ASN with an automated security level rule (rule ID “badscore”). This was traffic from the Azure CDN. You can see an example of the security event JSON here:

“action”: “managed_challenge”,
“clientASNDescription”: “MICROSOFT-CORP-MSN-AS-BLOCK”,
“clientAsn”: “8075”,
“clientCountryName”: “GB”,
“clientIP”: “”,
“clientRequestHTTPHost”: “redacted”,
“clientRequestHTTPMethodName”: “GET”,
“clientRequestHTTPProtocol”: “HTTP/1.1”,
“clientRequestPath”: “redacted”,
“clientRequestQuery”: “”,
“datetime”: “2023-07-27T13:55:42Z”,
“rayName”: “7ed561acdaa1fb28”,
“ruleId”: “badscore”,
“rulesetId”: “”,
“source”: “securitylevel”,
“userAgent”: “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36”,
“matchIndex”: 0,
“metadata”: ,
“sampleInterval”: 1

There were no changes to our Cloudflare configuration. Has anyone else seen this come up or had Cloudflare flagging anything else valid from Microsoft today?

Just because Microsoft owns the ASN doesn’t mean that it can’t be the source of malicious traffic from services hosted in Azure.

1 Like

We see thousands of attack attempts from ASN 8075 outside the Bing & DuckDuckGo ranges and would expect, and want, the above IP to be flagged as bad


It’s not one IP, it’s dozens and the requests are valid and originating from the Azure CDN, not random Azure-hosted sites.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.