MDE alerts with "Network traffic proxy redirector detected"

Copper Contributor

Hello all,

 

In our SOC, we've been seeing alerts on MDE for Mozilla Firefox with a combination of "Network traffic proxy redirector detected" and "Connection to a custom network indicator" to domains such as "https[:]//s.skimresources.com" for a particular customer. (Please see the screenshot of the alert below)

 

We recommended them to:

  • Investigate if any proxy settings were enabled for Firefox on the host which might explain the observed proxy behaviour and ensure it is legitimate.
  • Scan the host with Defender and investigate the reason behind attempted connections to the suspicious domain.
  • Check for any suspicious add-ons/extensions on the Firefox browser, and also to reset Firefox.

     

     

    However, we still do see these alerts and now we do not really know what to advise/to look for further than this.

    Furthermore, we observed that these Network Proxy alerts are always in conjunction with a connection to a custom network indicator being blocked.

     

    Question: Would anyone of you maybe know if this is a false positive by MDATP? Or if not, how else to prevent/avoid these alerts? (apart from creating a suppression rule)

Screenshot 2022-06-14 at 10.34.51.png

15 Replies
What does the alert detail popup say about the alert? Usually that explains in more detail what the alert is looking at, though not always in a helpful fashion.

@Sashaank 

I am having the same issue and I have tried to look into the root cause that have triggered the alert but couldn't find it

 

Here firefox.exe is used as a internal proxy by sending and receiving x amount of bytes and in custom network indicator it is mentioned like blocked firefox from accessing the below website

https://system.picreel.com

 

 

 

We are seeing the same issue. Interested to learn what others discover about this issue. We tried changing the default system proxy error to no proxy and that doesn't seem to help.

  

Do you also see?

 

Network Filter Lookup Service blocked firefox.exe from accessing 
Connection to a custom network indicator
 
I am wondering if this has something to do with certain traffic being blocked.

@Surya_2149

We are seeing the same issues on our side. Firefox.exe is what is pulling up for us. @Sashaank 

We are also seeing this behaviour on 5 of our +/- 1.5k devices.

Just connections firefox.exe and several ports:

[firefox.exe]
TCP 127.0.0.1:54407 127.0.0.1:54406 ESTABLISHED 14400
[firefox.exe]
TCP 127.0.0.1:54420 127.0.0.1:54421 ESTABLISHED 7652
[firefox.exe]
TCP 127.0.0.1:54421 127.0.0.1:54420 ESTABLISHED 7652
[firefox.exe]
TCP 127.0.0.1:54432 127.0.0.1:54433 ESTABLISHED 14628
[firefox.exe]
TCP 127.0.0.1:54433 127.0.0.1:54432 ESTABLISHED 14628
[firefox.exe]
TCP 127.0.0.1:54561 127.0.0.1:54562 ESTABLISHED 19452
[firefox.exe]
TCP 127.0.0.1:54562 127.0.0.1:54561 ESTABLISHED 19452
[firefox.exe]
TCP 127.0.0.1:54571 127.0.0.1:54572 ESTABLISHED 10864
[firefox.exe]
TCP 127.0.0.1:54572 127.0.0.1:54571 ESTABLISHED 10864
[firefox.exe]
TCP 127.0.0.1:54582 127.0.0.1:54583 ESTABLISHED 17636
[firefox.exe]
TCP 127.0.0.1:54583 127.0.0.1:54582 ESTABLISHED 17636
[firefox.exe]

 

Haven't figured out what's going on.

Normal behaviour from firefox.exe that's suddenly reporting as redirector proxy?

Or malicious activity?

 

Thanks for some response    . 

@Sashaank

@MicrosoftSecurityandComplianceTeam

@JG-Burke I am also not sure about that, searching for a solution regarding this alert

We have also been seeing this. I was thinking that it's the Firefox "Configure Proxy Access to the Internet" being set to 'auto-detect' or 'use system'. So I set it to "No Proxy" using GPO, but that doesn't appear to be it.
My organization also started getting these recently, always Firefox, always alongside a trigger for a network event like a custom network indicator.

I think it's related to this - https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections#w_loopback-connec...

If accurate this is going to be a useless detection for Firefox. Has anyone seen this trigger on any other browsers?
Thanks @Bobbers

Loopback connection
A loopback connection (to IP address 127.0.0.1) can be made by Firefox on non-Unix machines. In this case the browser is communicating with itself as expected, and it is not recommended that this communication be blocked. See bug 100154 for more information.
Just wanna know, has anyone got any information or update regarding this alert
We are observing the same activity. Any update on this?

@Subham7 

 

I noticed that I am getting this alert when a user is using firefox browser to try and access a url that is being blocked by the EDR in the first place.  For example, a malicious ad domain is being blocked by the EDR and I get a regular alert about a blocked malicious domain if the user uses any other browser that isn't firefox.  When the same url and it is supposed to be blocked in the EDR and the browser used ais firefox, there seems to be this proxy alert being triggered.

 

Seems like a bug?

I have a feeling that the alert is related to Microsoft Defender itself. When we get this alert we see the user is blocked by the smart screen. Seems like Defender is doing some kind of proxy to observe the connections and generate this alert. I feel it is a bug that we tried to communicate with MS but still not much luck.