First, I apologize if this isn't being asked in the right place, I can't really find a good fit for where to ask this question. This is sort of a general question to see if anyone here has seen or has experience with anything similar to what I am seeing.
Over the last few weeks my company’s website has seen a huge surge in traffic, all from Microsoft’s ASN8075 network, and hundreds of different IPs. By huge, I mean 10x our normal traffic, nearly 100k requests per day which is enough to shut down our site. This traffic comes as a result of our daily newsletter to our customers and in nearly every case the URI query parameters have been re-written - the Google Analytics utm_ variables are all made into gibberish and, more annoying, the page= variable that is pretty necessary for our site to function properly has also been re-written, always to a similar nonsense string, for example instead of page=“Register” we see in the request logs page=“Vafgehd” or page=“Eftvfgfe”.
I suspect it’s some kind of automated link scanner - I have created a few firewall rules in Cloudflare to mitigate this - interestingly if I set the action of the firewall rule to JS Challenge it shows it gets solved nearly 30% of the time but if I change it to a CAPTCHA Challenge then the solved drops nearly zero.
I’m at a loss as to where this is suddenly coming form, if I should be worried about it, if I should be allowing the traffic, filtering it or outright blocking it. Has anyone else ever seen this or have any ideas about what it is or how I should handle it? I know that about 80% of our customers use Microsoft for their email and security and, since the traffic is coming from Microsoft and from multiple IPs I don't want to block anything that might be legitimate or make it inconvenient or difficult for our customers to get to our site.