BITS Downloading App updates from unknown endpoint
Hi, Our IDS started freaking out today because a large number of our endpoints started initiating BITS downloads to an unknown endpoint. My initial reaction was ransomware, but after further investigation it appears that these BITS downloads are updates for Windows Store Apps. I am making this post to confirm that these endpoints are actually indeed official Microsoft endpoints. The BITS requests I had seen were all for the Limelight Networks CDN (llnwd[.]net), which I have heard hosts content for a lot of MSPs, one of which being Microsoft. Checking the logs, it appears that our workstations have never made BITS requests to this CDN. All previous BITS updates were carried out using official microsoft.com endpoints. The following are some examples of the domains seen in the BITS requests: ic-c39e4900-0f7065-msftstoretlu19.s.loris.llnwd[.]net ic-c39e4900-0d5ab5-msftstore19.s.loris.llnwd[.]net ic-c39e4900-08b3f9-msftstore19.s.loris.llnwd[.]net ic-c39e4900-0700f8-msftstore19.s.loris.llnwd[.]net Although all my investigations point to these being official Microsoft endpoints, I am worried that a CDN is being used because a malicious actor could easily mangle the URLs to make them look like official Microsoft ones. Is this the correct place to confirm that the above sub-domains are official Microsoft, and if not where should I ask this question instead? Thanks