Company Portal Attempting To Connect To Unknown Site

ajon88 

Unfortunately I never received anything official back from Microsoft for this, but would appreciate an official reply to better understand this so we can at least document it. It's blocked currently from our side until we do get a good response from MS.

Here though is what I can get from ChatGPT: (changed formatting as it doesn't translate that well when pasted across to this chat)

--------------------------------------------------

The connection attempt by CompanyPortal.exe to hxxps://powerlift-frontdesk.acompli[.]net is likely related to Microsoft's Intune and Office 365 infrastructure, specifically around mobile device management (MDM), conditional access, or email security services. Here's a detailed breakdown of why this connection might be occurring:

1. What is CompanyPortal.exe?

- CompanyPortal.exe is an application associated with Microsoft Intune, a cloud-based service for managing mobile devices, apps, and computers. Intune allows organizations to manage access to corporate resources like emails, documents, and other applications on company-owned or personal devices while enforcing security policies.
- The Company Portal app is commonly used on devices to provide users with access to apps, company resources, and security policies that are managed through Intune.

2. What is powerlift-frontdesk.acompli[.]net?

- The domain acompli[.]net is linked to Acompli, the original name of the email app Microsoft acquired in 2014, which was later rebranded into Outlook Mobile. The Acompli service handles backend services related to mobile email, such as synchronization, email retrieval, and push notifications. It's also associated with the infrastructure that manages mobile email security and conditional access through Intune.
- The specific subdomain `powerlift-frontdesk.acompli[.]net` seems to be related to internal Microsoft services for managing mobile and conditional access policies in real-time. "Powerlift" is often an internal codename or service within Microsoft related to monitoring, troubleshooting, and enforcing conditional access policies for mobile devices.

3. Why is CompanyPortal.exe trying to connect to `powerlift-frontdesk.acompli[.]net`?

- Mobile Device Management (MDM): If your organization uses Intune for mobile device management, the CompanyPortal.exe would likely need to communicate with Microsoft's infrastructure to check for updates to policies, manage device compliance, and handle any conditional access rules (e.g., ensuring the device meets security requirements before granting access to corporate emails or apps).
- Conditional Access Policies: The powerlift-frontdesk.acompli[.]net endpoint could be used to enforce conditional access policies that allow or deny access to corporate resources based on device health, location, or other factors. This might include verifying the device’s compliance with policies (such as encryption status, malware protection, etc.).
- Email Security and Syncing: Given Acompli’s legacy as an email app and the continued use of acompli[.]net domains in Microsoft's infrastructure, this connection might also support email-related functions, such as syncing emails to the mobile app or monitoring the device’s security posture to allow access to Exchange Online or Outlook.
- User and Device Authentication: This connection might be part of an authentication process where the Company Portal app communicates with Microsoft's cloud infrastructure to validate the device or user and enforce identity-based security policies.

4. What to Do About These Connections

If these connection attempts are flagged by a security tool, it’s important to determine if they are expected in your environment. Here are some considerations:
- Expected Behavior: If your organization uses Intune or Office 365 with mobile device management or conditional access policies, these connection attempts are likely expected and legitimate.
- Whitelisting: If this is a common connection related to Microsoft services, you may need to whitelist the domain to avoid unnecessary alerts.
- Suspicious Activity: If your organization does not use Microsoft Intune or does not expect this connection, further investigation is warranted to ensure there isn’t any rogue software attempting unauthorized connections.

5. Next Steps
- Verify with IT: Confirm with your IT department or security team if Intune or conditional access policies are in place for your organization's devices. If they are, this connection is likely routine.
- Check Microsoft Documentation: Review Microsoft documentation on Intune, conditional access, and Office 365 to better understand the infrastructure and any expected network traffic.
- Monitoring: If this connection appears abnormal, you could monitor the outbound traffic and logs for further details, like the frequency and timing of these connection attempts, to identify any patterns or anomalies.

Conclusion

The outbound connection from CompanyPortal.exe to `hxxps://powerlift-frontdesk.acompli[.]net` is almost certainly related to Microsoft Intune and conditional access services for managing mobile devices and enforcing security policies. This is likely a legitimate and necessary part of Microsoft's infrastructure, particularly if your organization uses Intune or Office 365 services.

---------------------------------------------------------

As I said though, something official from Microsoft would be appreciated.