Communication with suspicious random domain name (Preview)

%3CLINGO-SUB%20id%3D%22lingo-sub-2795653%22%20slang%3D%22en-US%22%3ECommunication%20with%20suspicious%20random%20domain%20name%20(Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2795653%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20we%20are%20seeing%20multiple%20alerts%20via%20Azure%20Security%20Centre%20for%20the%20following%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECommunication%20with%20suspicious%20random%20domain%20name%20(Preview)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20alerts%20show%20that%20various%20assets%20connected%20to%20our%20domain%20are%20querying%26nbsp%3Bvia%20our%20DNS%20server%20various%20nefarious%20looking%20domain%20names%20such%20as%26nbsp%3B25jimj.qgxouyclggk.com%20and%203dde4b.zbrjtstrclnm.com%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20all%20of%20these%20cases%20we%20can%20see%20that%20the%20asset%20has%20connected%20to%20various%20IP%20addresses%20that%20are%20registered%20to%20amazon.%20We%20seee%20multiple%20hits%20to%20amazon%20and%20then%20we%20see%20hits%20to%20these%20random%20domains.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20alert%20points%20us%20to%20the%20following%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Finterflowwebportalext.trafficmanager.net%2Freports%2FDisplayReport%3FcallerIdentity%3Dddd5443d-e6f4-441c-b52b-5278d2f21dfa%26amp%3BreportCreateDateTime%3D2021-07-07T08%253a33%253a40%26amp%3BreportName%3DMSTI-TS-DNS-Changer.pdf%26amp%3BtenantId%3Dc4a31167-4b24-47e3-a4b4-93d92097a1e3%26amp%3BurlCreateDateTime%3D2021-07-07T08%253a33%253a40%26amp%3Btoken%3D6WEIykYGq3uD81RbTof8TYiRqAqA91erSiZwWuAM0l0%3D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Finterflowwebportalext.trafficmanager.net%2Freports%2FDisplayReport%3FcallerIdentity%3Dddd5443d-e6f4-441c-b52b-5278d2f21dfa%26amp%3BreportCreateDateTime%3D2021-07-07T08%253a33%253a40%26amp%3BreportName%3DMSTI-TS-DNS-Changer.pdf%26amp%3BtenantId%3Dc4a31167-4b24-47e3-a4b4-93d92097a1e3%26amp%3BurlCreateDateTime%3D2021-07-07T08%253a33%253a40%26amp%3Btoken%3D6WEIykYGq3uD81RbTof8TYiRqAqA91erSiZwWuAM0l0%3D%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20run%20virus%20scans%20on%20these%20machines%20and%20no%20malware%20or%20issues%20are%20being%20reported.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20alert%20is%20in%20preview%20so%20very%20little%20online%20about%20the%20alert%20itself.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20anyone%20on%20here%20know%20much%20about%20this%20alert%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20concerned%20should%20we%20be%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThese%20assets%20themselves%20are%20onboarded%26nbsp%3Bonto%20Defender%20but%20this%20activity%20does%20not%20trigger%20any%20alert.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2890534%22%20slang%3D%22en-US%22%3ERe%3A%20Communication%20with%20suspicious%20random%20domain%20name%20(Preview)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2890534%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F888978%22%20target%3D%22_blank%22%3E%40ragnar667%3C%2FA%3E%26nbsp%3BWe're%20seeing%20these%20as%20well%3B%20I%20believe%20that%20the%20requests%20come%20from%20Chrome%20(or%20a%20Chromium-based%20browser)%20checking%20for%20ISP%20DNS%20interception%20at%20startup.%26nbsp%3B%20(See%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmikewest.org%2F2012%2F02%2Fchrome-connects-to-three-random-domains-at-startup%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmikewest.org%2F2012%2F02%2Fchrome-connects-to-three-random-domains-at-startup%2F%3C%2FA%3E.)%26nbsp%3B%20You'll%20probably%20see%20www.%5Brandom%5D.com%26nbsp%3Bplus%20one%20request%20for%20each%20search%20domain.%26nbsp%3B%20This%20is%20benign%2C%20but%20unfortunately%20causes%20near%20100%25%20false-positives.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Visitor

Hi All

 

So we are seeing multiple alerts via Azure Security Centre for the following

 

Communication with suspicious random domain name (Preview)

 

The alerts show that various assets connected to our domain are querying via our DNS server various nefarious looking domain names such as 25jimj.qgxouyclggk.com and 3dde4b.zbrjtstrclnm.com

 

In all of these cases we can see that the asset has connected to various IP addresses that are registered to amazon. We seee multiple hits to amazon and then we see hits to these random domains.

 

The alert points us to the following 

 

https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-...

 

We run virus scans on these machines and no malware or issues are being reported.

 

This alert is in preview so very little online about the alert itself. 

 

Does anyone on here know much about this alert? 

 

How concerned should we be?

 

These assets themselves are onboarded onto Defender but this activity does not trigger any alert.

 

 

2 Replies

@ragnar667 We're seeing these as well; I believe that the requests come from Chrome (or a Chromium-based browser) checking for ISP DNS interception at startup.  (See https://mikewest.org/2012/02/chrome-connects-to-three-random-domains-at-startup/.)  You'll probably see www.[random].com plus one request for each search domain.  This is benign, but unfortunately causes near 100% false-positives.

Hey @ragnar667 

 

FYI, the SOA (start of authority) on the DNS record for zbrjtstrclnm.com points to zoneadmin.tonic.com.

 

Tonic.com is a pay-per-click style advertising company and the domain is likely related to their traffic.

 

Thanks