0

We have some functionality in our system which sends emails to our customers, where the emails contain secure links with an embedded code.

Whilst inspecting our firewall logs I noticed something unusual. Sometimes (say 10% of cases), when I see a request with a valid code (where the code is in the url params), I see a second request 15-30 seconds later with the same code but coming from a different IP address. The codes are unique to individual users so this is strange. All of our users are in the UK, but some of these second requests are in different countries.

Even stranger, sometimes we see a third request, from the same IP as the second request, but with all the url param values replaced with the literal string "undefined". The url parameter names are maintained.

I have developed a theory around this, which is that the link is initially opened by our customer, and their email client then sends the link to some kind of security service which does some testing and inspection.

I realised that in this case, the second IP addresses would be data centre/corporate IPs, and this is the case. The first requests are always from a domestic ISP, and the second requests a few seconds later are from data centers. Examples of the second IPs are 40.94.102.24, 51.141.125.232 and 23.100.37.234.

One significant hole in my theory is this - whats the point in doing some security inspection on the url after my user has opened it?

Has anyone else seen such behaviour? Can anyone confirm or dismantle my hypothesis? What is going on here?

EDIT: All of the IPs I gave as examples are hosted in Microsoft Azure.

F_SO_K
  • 131
  • 1
  • 5
  • `whats the point in doing some security inspection on the url after my user has opened it?` It could be the other way around. The users' spam filter is probably 'opening' the message first, and accessing the asset at the URL to inspect it for any malicious content. Then (assuming the spam filter thinks the email is safe) the message appears in the user's inbox, where the user opens it, causing a second request for the asset at the URL. Then, the user could forward the message to another user, causing the URL to be accessed yet again. – mti2935 Jun 08 '21 at 20:14
  • Not really a duplicate but might answer your question anyway: [Do mail servers follow links in emails as part of a security scan before inbox delivery?](https://security.stackexchange.com/questions/211258/do-mail-servers-follow-links-in-emails-as-part-of-a-security-scan-before-inbox-d). In short: the mail might be visited by some security system *before* the user clicked on it – Steffen Ullrich Jun 08 '21 at 20:17
  • @mti2935 I think you're probably right. I only noticed the examples where the requests are very close together because I'm a human after all! Probably there are lots of 'duplicate' requests but they don't look suspicious when separated in time. – F_SO_K Jun 08 '21 at 20:19
  • @SteffenUllrich Yep, that pretty much answers it. I certainly feel relieved that nothing nasty is happening! – F_SO_K Jun 08 '21 at 20:20

0 Answers0