Valid Microsoft ASN getting flagged as a security risk

jason103 · July 27, 2023, 2:03pm

Starting around 8 pm Pacific on 26 July, Cloudflare began flagging traffic from a valid Microsoft ASN with an automated security level rule (rule ID “badscore”). This was traffic from the Azure CDN. You can see an example of the security event JSON here:

{
“action”: “managed_challenge”,
“clientASNDescription”: “MICROSOFT-CORP-MSN-AS-BLOCK”,
“clientAsn”: “8075”,
“clientCountryName”: “GB”,
“clientIP”: “147.243.150.177”,
“clientRequestHTTPHost”: “redacted”,
“clientRequestHTTPMethodName”: “GET”,
“clientRequestHTTPProtocol”: “HTTP/1.1”,
“clientRequestPath”: “redacted”,
“clientRequestQuery”: “”,
“datetime”: “2023-07-27T13:55:42Z”,
“rayName”: “7ed561acdaa1fb28”,
“ruleId”: “badscore”,
“rulesetId”: “”,
“source”: “securitylevel”,
“userAgent”: “Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36”,
“matchIndex”: 0,
“metadata”: ,
“sampleInterval”: 1
}

There were no changes to our Cloudflare configuration. Has anyone else seen this come up or had Cloudflare flagging anything else valid from Microsoft today?

cscharff · July 27, 2023, 3:10pm

Just because Microsoft owns the ASN doesn’t mean that it can’t be the source of malicious traffic from services hosted in Azure.

paul32 · July 27, 2023, 3:14pm

We see thousands of attack attempts from ASN 8075 outside the Bing & DuckDuckGo ranges and would expect, and want, the above IP to be flagged as bad

jason103 · July 27, 2023, 3:50pm

It’s not one IP, it’s dozens and the requests are valid and originating from the Azure CDN, not random Azure-hosted sites.

system · August 11, 2023, 3:51pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.