question

Sree20212021 avatar image
0 Votes"
Sree20212021 asked SimonJSmith-4809 commented

blocking issue

I wish to know if the flagging of this address is a false positive from MS side or whether the entire CDN is truly malicious.

Issue can be reproduced on any box with network protection in block mode. Open browser, attempt to navigate to https[:]//cdn.js7k.com.

suddenly started getting a large number of Network Protection alerts related to cdn.js7k.com in M365.
like to know if this is a false positive or whether blocking the entire CDN is truly what is intended.
I am unsure if end users are noticing any impact, as I do not how they are actually ending up visiting that site. It appears to be related to Ad delivery, so it could be that the users are sitting on an entirely unrelated page and touching the site via Ads.

office-exchange-online-itprooffice-exchange-server-mailflowoffice-exchange-server-connectivity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JustinMicheal-7973

Here I would suggest yo openning a service request in O365 to get further support about whether the link is malicious or a false positive from Microsoft. This is more related to O365 backend and we do not have more information how Microsoft judged it. Thanks for your understanding!

Get support


0 Votes 0 ·
Rocky254-7030 avatar image
0 Votes"
Rocky254-7030 answered

I see there is no content on the website https[:]//cdn.js7k.com and might be difficult to confirm whether the Alerts are FP or not, with out analyzing the actual content on the website.

I think if you can provide more information regarding the website, like - what content it used to host etc.. that might help Microsoft to investigate further.(not sure, these are my thoughts)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PaulGerloff-6337 avatar image
2 Votes"
PaulGerloff-6337 answered SimonJSmith-4809 commented

We started getting the same behavior over the weekend, I've had one of my team submit a support case to ask what the root cause determination was. Will reply with whatever they come back with

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Update, Microsoft still haven't been able to say exactly why but the blocking doesn't appear to be still in place, putting money on a CDN node accidentally being added to the block list instead of the ad network or other content it was serving

1 Vote 1 ·

I suspect similar, as using the advanced threat hunting I can see plenty of successful connections before and since the blocked connections. I gave up on our support case as it was like pulling teeth.

0 Votes 0 ·
ACGel-7643 avatar image
0 Votes"
ACGel-7643 answered ralph-5226 published

Hello folks, did anyone got an answer from Microsoft? i got a lot of alerts about suspicious connection to that url.
Thanks

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We submitted a report case this morning, still waiting to hear back.

0 Votes 0 ·
PaulGerloff-6337 avatar image
0 Votes"
PaulGerloff-6337 answered

@Rocky254-7030 It's a CDN so the content will be unlikely to be static, a single CDN user could have triggered blocking or the CDN itself is suspect, or of course FP. Still no word from MSFT on our ticket

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.