Microsoft may scan you
A client this month was observing strange FORM submittal activity and asked if I was still doing security testing of their web application.
Since I was not, I participated in investigating. I received a copy of their Apache log file.
I downloaded apache-scalp:
“Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET”
From viewing the output of Scalp! it was obvious an automated application scanner was being used. Three bits struck my curiosity:
- The scanner was one I hadn’t heard of: netsparker
- Netsparker is commercial, implying someone was willing to pay money to find vulnerabilities
- The source of the scans was Microsoft
My client was dumbfounded why MS was doing this. I suggested they send an email to abuse@microsoft.com with the details and request their assistance.
Lo and behold, Microsoft replied and was responsible. Their Online Services Security and Compliance (OSSC) team was actively scanning, unbeknownst to my client .
Given this client has a relationship with MS, my guess is they signed something with fine print explicitly allowing MS to perform ad-hoc vulnerability assessments.
Good to know this can happen.
