Observe multiple outbound traffic with Microsoft domain

Question

Dear Team,

We have detected multiple URL requests one of my windows server with holding Microsoft domain that have been identified as malicious by Trend Micro threat intelligence.

can you please comment on these URls.

http://194.36.32.207/filestreamingservice/files/1320e66c-29d2-4d7c-9b43-7f50d68ae3bb?P1=1770877599&P2=404&P3=2&P4=NvbCqRcIUfO9RgoIuc8qHpl%2btc17xVKIr%2be2ywd7EUCXwpjIGJzns0L%2b1hd7aZjsQX6xPeZunF6cB9fX3HWduQ%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com
[http://194.36.32.207/filestreamingservice/files/1320e66c-29d2-4d7c-9b43-7f50d68ae3bb?P1=1770877599&P2=404&P3=2&P4=NvbCqRcIUfO9RgoIuc8qHpl%2btc17xVKIr%2be2ywd7EUCXwpjIGJzns0L%2b1hd7aZjsQX6xPeZunF6cB9fX3HWduQ%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

](http://194.36.32.207/filestreamingservice/files/1320e66c-29d2-4d7c-9b43-7f50d68ae3bb?P1=1770877599&P2=404&P3=2&P4=NvbCqRcIUfO9RgoIuc8qHpl%2btc17xVKIr%2be2ywd7EUCXwpjIGJzns0L%2b1hd7aZjsQX6xPeZunF6cB9fX3HWduQ%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

)

and nearly 500 more.

Answer 1

Hi Chandra Pal Singh Chauhan,

The URL syntax you observed is functional, not deceptive. In Windows Delivery Optimization (DO) and Connected Cache architecture, the cacheHostOrigin parameter is a standard routing argument used to map the requested content back to the specific Microsoft Content Delivery Network (CDN) origin, in this case, *.tlu.dl.delivery.mp.microsoft.com. This allows the external peer or ISP-hosted cache node (the IP 194.36.32.207) to retrieve and serve the correct file segment. The ampersand & is merely a standard delimiter for these query strings, not a mechanism to separate malicious payloads from legitimate ones.

Your sandbox findings are the definitive proof of legitimacy. A valid Microsoft digital signature on the downloaded binary is cryptographically impossible to spoof via URL manipulation. Windows Update clients also verify the SHA-256 hash of every file chunk against trusted metadata downloaded directly from the Windows Update Service (HTTPS) before assembly. If the content were a decoy or malicious injection from that external IP, the hash check would fail, and the OS would discard the packet immediately.

To eliminate these false positives and the reliance on external cache IPs, you must enforce the configuration previously discussed. Set Download Mode to Simple (99) in Group Policy (Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization). This restricts the Windows Update agent to use only HTTP/HTTPS traffic directly from official Microsoft FQDNs, bypassing the peering logic that generates these dynamic URLs.

VP

Answer 2

Hello Chandra Pal Singh Chauhan

To resolve the alerts and ensure your server only connects to trusted sources, you must restrict the Download Mode to 'Simple' (ID 99), which forces the use of HTTP/HTTPS directly from Microsoft’s CDN and disables all peer-to-peer functionality. You can enforce this configuration via Group Policy at Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization\Download Mode by selecting 'Simple (99)'. Alternatively, for a precise registry enforcement, create or modify the DWORD value DODownloadMode to 99 (decimal) at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization. Do not use value 0 as suggested previously, as 99 is the specific standard for bypassing peering services on servers. You can immediately validate the remediation by running Get-DeliveryOptimizationStatus | Select-Object DownloadMode in an elevated PowerShell prompt; it should return 'Simple', confirming that traffic to random external IPs will cease.

Do you find this answer useful? Should you have more questions, feel free to leave a comment. Have a nice day!

VP

Answer 3

It appears that you have detected outbound traffic from your Windows server to URLs that are associated with a Microsoft domain, which have been flagged as malicious by Trend Micro threat intelligence. Given that the URLs are related to Microsoft services, it is important to investigate further to determine if this traffic is legitimate or if it indicates a security issue.

To investigate this situation:

1. Check the Microsoft Verdict: You can use Microsoft Defender to check the verdict on the URLs in question. This will help you understand if Microsoft has classified these URLs as malicious or if they are part of legitimate Microsoft services.
2. Review Incident Reports: Look at any incident reports associated with these URLs to see if there have been previous alerts or incidents involving them.
3. Monitor Outbound Traffic: Since you mentioned multiple outbound requests, it would be prudent to monitor the traffic closely. If you notice unusual patterns or a high volume of requests, it may indicate a compromise.
4. Use Advanced Hunting: Utilize advanced hunting capabilities in Microsoft Defender to track down any devices communicating with these URLs and to gather more context about the traffic.
5. Investigate Device Behavior: Check the behavior of the server making these requests. Look for any signs of compromise, such as unusual processes or connections.

If you suspect that the traffic is indeed malicious, take appropriate actions such as isolating the affected server, running a full security scan, and reviewing your security policies.

---

References:

• Investigate domains and URLs
• URL and Domain overview