topic Microsoft URL being DNS sinkholed suddenly? in Advanced Threat Prevention Discussions

Microsoft URL being DNS sinkholed suddenly?

BStojceski — Sun, 07 Jun 2020 10:43:19 GMT

Has anyone else started getting DNS sinkhole threat alerts for the below domain? About half a day ago I started getting a tonne of sinkhole alarms from our PA for this URL. It looks to be a legitimate Microsoft domain and IP. In the PA threat log it comes up as Spyware.

skypedataprdcolase04.cloudapp.net

The PA threat vault shows the below:

Anyone else seeing this and any word of why it is happening? I'm getting alerts all day and from a whole lot of different internal hosts.

Thanks

Re: Microsoft URL being DNS sinkholed suddenly?

mbrimberry — Sun, 07 Jun 2020 13:51:16 GMT

Same here, alerting around every 10 to 15 minutes.

Re: Microsoft URL being DNS sinkholed suddenly?

xfahad — Sun, 07 Jun 2020 20:21:27 GMT

i have got the same thing to today , was it solved from your end .

all seem legit for me .

Re: Microsoft URL being DNS sinkholed suddenly?

BStojceski — Sun, 07 Jun 2020 21:56:01 GMT

It seemed to eventually stop itself overnight. I did notice the threat ID disappeared from the threat DB a couple of hours before my post, so maybe it took time for the PA's to sync and stop triggering alerts? Seems to be OK now.

Re: Microsoft URL being DNS sinkholed suddenly?

mivaldi — Mon, 08 Jun 2020 17:12:38 GMT

The DNS Security signature was disabled on 06/05/2020 14:22 PDT, and the Anti-Spyware DNS signature is no longer present with 06/07's release of the Antivirus package version 3372-3883. Please upgrade to this version (or later) to have the signature removed.