False Positive? settings-win.data.microsoft.com resolving to Microsoft Blackhole IP

Published: 2015-05-19
Last Updated: 2015-05-19 20:36:01 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, settings-win.data.microsoft.com started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host settings-win.data.microsoft.com
settings-win.data.microsoft.com is an alias for settings.data.glbdns2.microsoft.com.
settings.data.glbdns2.microsoft.com is an alias for blackhole6.glbdns2.microsoft.com.
blackhole6.glbdns2.microsoft.com has address

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:

[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:


At this point, I am assuming that this is some kind of configuration error at Microsoft.

Johannes B. Ullrich, Ph.D.

4 comment(s)
Diary Archives