MCAS IPv6 Recipient Cache False Positive Impossibile Traveller

%3CLINGO-SUB%20id%3D%22lingo-sub-1106444%22%20slang%3D%22en-US%22%3EMCAS%20IPv6%20Recipient%20Cache%20False%20Positive%20Impossibile%20Traveller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1106444%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMore%20of%20an%20FYI%20in%20case%20anyone%20is%20searching.%20Started%20noticing%20some%20EXTRA%20(HA)%20Impossibile%20Traveller%20Alerts.%20Checked%20them%20out%20and%20found%20it%20was%20actually%20a%20Create%20Email%20MCAS%20Event%20in%20the%20US%20from%20an%20IPv6%20Block%20assigned%20to%20Microsoft%20but%20MCAS%20didn't%20seem%20to%20know%20the%20range%20or%20tag%20it%20as%20Azure%20Cloud%2FMicrosoft%2FOffice%20365%2C%20etc.%20Started%20to%20see%20a%20few%20more%20and%20more%20in%20the%20IPv6%20Range%20so%20started%20to%20look%20into%20it%20further.%20The%20alert%20didn't%20provide%20much%20info%20other%20then%20Device%20Type%20%3A%26nbsp%3B%3CSPAN%3EClient%3DREST%3BClient%3DRESTSystem%3B%20(In%20hindsight%20it%20was%20there%20in%20the%20raw%20data%20of%20the%20app%20connector%20but%20I%20missed%20it)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChecked%20the%20Audit%20Log%20(don't%20know%20why%20I%20didn't%20check%20it%20sooner)%20and%20found%20that%20its%20actually%20something%20to%20do%20with%20the%20Recipient%20cache%20inside%20the%20Mailbox.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThoughts%20are%20that%20it%20could%20be%20something%20to%20do%20with%20the%20latest%20FindTime%20changes%20or%20some%20kind%20of%20new%20feature%20for%20something%20to%20do%20with%20recipient%20cache%20or%20Calendar%20Entries%20based%20on%20what%20the%20user%20said%20they%20were%20doing.%20Might%20clarify%20further%20as%20I%20dig%20into%20the%20logs%20further.%20If%20I%20do%20i'll%20post%20here.%20Either%20way%20MCAS%20doesn't%20seem%20to%20know%20the%20IPv6%20range.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20IPv6%20Ranges%20all%20seem%20to%20start%20with%3A%202%3CSPAN%3E603%3A10c6%3A220%3A4d%3Acafe.%20The%20bits%20that%20stay%20the%20same%20are%20the%20cafe%20and%202603%3A10%2C%20mostly%2010c6%20but%20not%20always.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHope%20this%20helps%20someone%2C%20or%20with%20more%20information%2C%20helps%20me%20clarify%20exactly%20what%20it%20is.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1106444%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1117670%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20IPv6%20Recipient%20Cache%20False%20Positive%20Impossibile%20Traveller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117670%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40416%22%20target%3D%22_blank%22%3E%40Tim%20Lourey%3C%2FA%3Emore%20FYI%20%3B)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EWe%20opened%20a%20ticket%20with%20MCAS%20and%20then%20with%20Exchange%20Online%20support%20in%20early%20Jan%2C%20that%20confirmed%20this%20is%20a%20%22potential%20bug%22...%3C%2FP%3E%3CP%3EStill%20waiting%20on%20a%20resolution%2C%20current%20recommendation%20was%20to%20add%20all%20these%20IPv6%20as%20trusted.%20Since%20these%20IPs%20are%20not%20listed%20in%20the%20official%20ranges%20and%20constantly%20change%20we%20decided%20to%20wait%20for%20a%20proper%20resolution.%3C%2FP%3E%3CP%3ERequested%20also%20rationale%20for%20the%20REST%20client%20polling%20customer%20data%20with%20no%20luck%20so%20far%3C%2FP%3E%3CP%3EQuite%20disappointed%20with%20the%20MS%20support%20around%20this%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1121575%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20IPv6%20Recipient%20Cache%20False%20Positive%20Impossibile%20Traveller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1121575%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40416%22%20target%3D%22_blank%22%3E%40Tim%20Lourey%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F337689%22%20target%3D%22_blank%22%3E%40FaustinRoman%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20seeing%20a%20near%20identical%20event%20generating%20impossible%20travel%20alerts.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20hear%20anything%20further%20please%20let%20us%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1117903%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20IPv6%20Recipient%20Cache%20False%20Positive%20Impossibile%20Traveller%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1117903%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F337689%22%20target%3D%22_blank%22%3E%40FaustinRoman%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wonder%20if%20its%20always%20been%20doing%20this%20but%20has%20now%20moved%20this%20IPv6%20and%20as%20you%20said%20it%20just%20doesn't%20know%20about%20it.%20I%20also%20wonder%20if%20these%20servers%20are%20actually%20in%20our%20local%20region%20but%20its%20just%20a%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20wondering%20if%20this%20is%20part%20of%20the%20integration%20of%20the%20'Outlook%20for%20iOS'%20and%20'Outlook%20for%20Android'%20Apps.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi all, 

 

More of an FYI in case anyone is searching. Started noticing some EXTRA (HA) Impossibile Traveller Alerts. Checked them out and found it was actually a Create Email MCAS Event in the US from an IPv6 Block assigned to Microsoft but MCAS didn't seem to know the range or tag it as Azure Cloud/Microsoft/Office 365, etc. Started to see a few more and more in the IPv6 Range so started to look into it further. The alert didn't provide much info other then Device Type : Client=REST;Client=RESTSystem; (In hindsight it was there in the raw data of the app connector but I missed it)

 

Checked the Audit Log (don't know why I didn't check it sooner) and found that its actually something to do with the Recipient cache inside the Mailbox. 

 

Thoughts are that it could be something to do with the latest FindTime changes or some kind of new feature for something to do with recipient cache or Calendar Entries based on what the user said they were doing. Might clarify further as I dig into the logs further. If I do i'll post here. Either way MCAS doesn't seem to know the IPv6 range. 

 

The IPv6 Ranges all seem to start with: 2603:10c6:220:4d:cafe. The bits that stay the same are the cafe and 2603:10, mostly 10c6 but not always. 

 

Hope this helps someone, or with more information, helps me clarify exactly what it is. 

10 Replies

@TimLoureymore FYI ;)

We opened a ticket with MCAS and then with Exchange Online support in early Jan, that confirmed this is a "potential bug"...

Still waiting on a resolution, current recommendation was to add all these IPv6 as trusted. Since these IPs are not listed in the official ranges and constantly change we decided to wait for a proper resolution.

Requested also rationale for the REST client polling customer data with no luck so far

Quite disappointed with the MS support around this

@FaustinRoman ,

 

I wonder if its always been doing this but has now moved this IPv6 and as you said it just doesn't know about it. I also wonder if these servers are actually in our local region but its just a 

 

I also wondering if this is part of the integration of the 'Outlook for iOS' and 'Outlook for Android' Apps. 

@TimLourey @FaustinRoman 

We are seeing a near identical event generating impossible travel alerts.

If you hear anything further please let us know.

@TimLoureygood questions!

For us the service location generating the alert is in US while our Exchange data is hosted in a very different region.

We requested rationale and details for this process as we are concerned about data sovereignty and privacy.

@JKelly9 @TimLourey I will send this thread to the team looking after our tickets, hopefully they will reply here or speed-up the resolution.

In any case, thanks for sharing! ;)

Ok hope this is resolved soon as we're getting the same issue

@jurajlthis was resolved a few months back

I recommend opening a service request

@FaustinRoman Hi Faustion

 

Did you ever get a reply to your question regarding data sovereignty and privacy? If so could I possibly ask if you would be kind enough to post the response in this thread please? I ask because we are in exactly the same situation where our data is hosted in a different region to the US as well and it would be great to try and know the reasoning behind alerts getting generated in the US.

 

Many thanks in advance.

We got an answer, not sure if really addressed all concerns:
"We're informed that the Microsoft Internal IP that's being logged by Microsoft Security Cloud Service/App was a service from the back-end that triggers the audit log events itself. That's why it happens every 00:00 UTC standard time when Microsoft generates an audit log.

We're also informed that the IP was already whitelisted by the MCAS so this should no longer trigger alerts.

As far as data accessed outside of the region, there were none as the event is only for triggering the audit service."

You could ask why this event is not triggered from the same region... I leave that to you, let me know how far you get with MS support and if it was worth your time....
Hi Faustin

Thank you very much for replying. I can say that it doesn't ring quite true what they say about the event only triggering at 00:00 UTC as we have observed these events at different times of the day.

I will certainly try to follow this up with Microsoft and if I do get any meaningful updates I will post them to this thread. Many thanks again to you.