I am noticing a malicious DNS query in Thunderbird

Question

My Suricata IDS is generating this alert when starting Thunderbird:

ET INFO Observed DNS Query to .cloud TLD

You can analyze a json log:

{
  "_index": "suricata-1.1.0-2022.02.11",
  "_type": "_doc",
  "_id": "Uvxd6X4Bz6KASDsJzj8a",
  "_score": 1,
  "_source": {
    "src_autonomous_system": "private",
    "src_ip": "192.168.x.x",
    "dest_port": 53,
    "server_autonomous_system": "private",
    "ip_version": "IPv4",
    "dns": {
      "query": [
        {
          "rrname": "prod-tp.sumo.mozit.cloud",
          "type": "query",
          "rrtype": "AAAA",
          "tx_id": 0,
          "id": 53408
        }
      ]
    },
    "src_hostname": "192.168.x.x",
    "app_proto": "dns",
    "client_autonomous_system": "private",
    "flow": {
      "bytes_toclient": 0,
      "bytes_toserver": 84,
      "pkts_toclient": 0,
      "bytes": 84,
      "start": "2022-02-11T15:19:04.496Z",
      "pkts_toserver": 1,
      "pkts": 1
    },
    "log": {
      "severity": "critical"
    },
    "server_ip": "192.168.1.1",
    "event": {
      "host": "laboratory-host",
      "type": "suricata",
      "subtype": "alert"
    },
    "node": {
      "ipaddr": "10.0.x.x",
      "hostname": "laboratory-host"
    },
    "alert": {
      "action": "allowed",
      "signature": "ET INFO Observed DNS Query to .cloud TLD",
      "rev": 4,
      "gid": 1,
      "severity": 2,
      "signature_id": 2027865,
      "metadata": {
        "deployment": [
          "Perimeter"
        ],
        "former_category": [
          "INFO"
        ],
        "affected_product": [
          "Any"
        ],
        "signature_severity": [
          "Major"
        ],
        "created_at": [
          "2019_08_13"
        ],
        "attack_target": [
          "Client_Endpoint"
        ],
        "updated_at": [
          "2020_09_17"
        ]
      },
      "category": "Potentially Bad Traffic"
    },
    "dest_port_name": "dns (UDP/53)",
    "service_port": "53",
    "in_iface": "enp3s0",
    "@timestamp": "2022-02-11T15:19:04.496Z",
    "tx_id": 0,
    "traffic_locality": "private",
    "server_hostname": "192.168.1.1",
    "proto": "UDP",
    "service_name": "dns (UDP/53)",
    "client_ip": "192.168.x.x",
    "vlan": "0",
    "client_hostname": "192.168.x.x",
    "src_port": 43105,
    "tags": [],
    "dest_hostname": "192.168.1.1",
    "tcp_flags": "none",
    "flow_id": 1282324736546066,
    "dest_ip": "192.168.1.1",
    "dest_autonomous_system": "private",
    "host": {
      "ip": [
        "192.168.x.x",
        (...) 
      ],
      "id": "f8e52e34aea14e72bdb8300859e5c7a9",
      "hostname": "laboratory-host",
      "os": {
        "codename": "focal",
        "family": "debian",
        "name": "Ubuntu",
        "platform": "ubuntu",
        "version": "20.04.3 LTS (Focal Fossa)",
        "kernel": "5.4.0-99-generic"
      },
      "architecture": "x86_64",
      "mac": [
       (...)
      ],
      "containerized": false
    },
    "@version": "1.1.0",
    "src_port_name": "UDP/43105"
  },
  "fields": {
    "flow.start": [
      "2022-02-11T15:19:04.496Z"
    ],
    "@timestamp": [
      "2022-02-11T15:19:04.496Z"
    ],
    "tls.notbefore": [],
    "flow.end": [],
    "tls.notafter": []
  }
}

Wireshark capture shows:

    Queries
        support.mozilla.org: type AAAA, class IN
            Name: support.mozilla.org
            [Name Length: 19]
            [Label Count: 3]
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
    Answers
        support.mozilla.org: type CNAME, class IN, cname prod-tp.sumo.mozit.cloud
            Name: support.mozilla.org
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
            Time to live: 60 (1 minute)
            Data length: 26
            CNAME: prod-tp.sumo.mozit.cloud


    Queries
        prod-tp.sumo.mozit.cloud: type AAAA, class IN
            Name: prod-tp.sumo.mozit.cloud
            [Name Length: 24]
            [Label Count: 4]
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
    Authoritative nameservers
        sumo.mozit.cloud: type SOA, class IN, mname ns-1513.awsdns-61.org
            Name: sumo.mozit.cloud
            Type: SOA (Start Of a zone of Authority) (6)
            Class: IN (0x0001)
            Time to live: 358 (5 minutes, 58 seconds)
            Data length: 73
            Primary name server: ns-1513.awsdns-61.org
            Responsible authority's mailbox: awsdns-hostmaster.amazon.com
            Serial Number: 1
            Refresh Interval: 7200 (2 hours)
            Retry Interval: 900 (15 minutes)
            Expire limit: 1209600 (14 days)
            Minimum TTL: 86400 (1 day)

Maybe it is a false positive? It is a conventional query from support.mozilla.org? Interesting, searching in internet it appears reported also in a Chrome's request: https://www.joesandbox.com/analysis/335163/0/html ...and a iexplorer: https://any.run/report/f2ef2560f02aff409bc72d60fff432529d6ae2b63c862edc5c85ae11b8e3d7e2/ff2e1109-1e49-4bba-9196-534d455fb895

Versión:

Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.5.0

My syslogs:

Feb 11 12:59:05 localhost thunderbird.desktop[127832]: ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Feb 11 12:59:05 localhost systemd[2078]: gnome-launched-thunderbird.desktop-127832.scope: Succeeded.
Feb 11 12:59:15 localhost systemd[2078]: Started Application launched by gnome-shell.
Feb 11 12:59:15 localhost thunderbird.desktop[128356]: [calBackendLoader] Using Thunderbird's libical backend
Feb 11 12:59:15 localhost thunderbird.desktop[128356]: [LDAPModuleLoader] Using LDAPDirectory.jsm
Feb 11 12:59:15 localhost thunderbird.desktop[128356]: [MsgSendModuleLoader] Using MessageSend.jsm
Feb 11 12:59:15 localhost thunderbird.desktop[128356]: [SmtpModuleLoader] Using SmtpService.jsm
Feb 11 12:59:17 localhost rtkit-daemon[1577]: Supervising 4 threads of 2 processes of 2 users.
Feb 11 12:59:17 localhost rtkit-daemon[1577]: message repeated 5 times: [ Supervising 4 threads of 2 processes of 2 users.]
Feb 11 12:59:17 localhost rtkit-daemon[1577]: Successfully made thread 128461 of process 128356 owned by '1000' RT at priority 10.
Feb 11 12:59:17 localhost rtkit-daemon[1577]: Supervising 5 threads of 3 processes of 2 users.
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Trying to load /usr/lib/thunderbird/libotr.so"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Trying to load libotr.so from system's standard library locations"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Trying to load libotr.so.5 from system's standard library locations"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Successfully loaded OTR library libotr.so.5 from system's standard library locations"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Successfully loaded OpenPGP library librnp.so version 0.15.2+git20210806.dd923a4e.MZLA from /usr/lib/thunderbird/librnp.so"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Found 12 public keys and 6 secret keys (6 protected, 0 unprotected)"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "Successfully loaded optional OpenPGP library libgpgme.so.11 from system's standard library locations"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.debug: "gpgme version: 1.13.1-unknown"
Feb 11 12:59:17 localhost thunderbird.desktop[128356]: console.warn: services.settings: thunderbird/hijack-blocklists has signature disabled
Feb 11 12:59:18 localhost thunderbird.desktop[128356]: JavaScript warning: resource://gre/modules/Troubleshoot.jsm, line 696: WebGL context was lost.
Feb 11 12:59:18 localhost thunderbird.desktop[128356]: JavaScript warning: resource://gre/modules/Troubleshoot.jsm, line 696: WebGL context was lost.
Feb 11 12:59:18 localhost rtkit-daemon[1577]: Supervising 5 threads of 3 processes of 2 users.
Feb 11 12:59:18 localhost rtkit-daemon[1577]: message repeated 3 times: [ Supervising 5 threads of 3 processes of 2 users.]
Feb 11 12:59:18 localhost rtkit-daemon[1577]: Successfully made thread 128478 of process 128356 owned by '1000' RT at priority 10.
Feb 11 12:59:18 localhost rtkit-daemon[1577]: Supervising 6 threads of 3 processes of 2 users.
Feb 11 12:59:23 localhost rtkit-daemon[1577]: message repeated 6 times: [ Supervising 6 threads of 3 processes of 2 users.]
Feb 11 12:59:23 localhost rtkit-daemon[1577]: Successfully made thread 128562 of process 128489 owned by '1000' RT at priority 10.
Feb 11 12:59:23 localhost rtkit-daemon[1577]: Supervising 7 threads of 4 processes of 2 users.
Feb 11 12:59:26 localhost rtkit-daemon[1577]: message repeated 10 times: [ Supervising 7 threads of 4 processes of 2 users.]
Feb 11 12:59:37 localhost thunderbird.desktop[128624]: [GFX1-]: Failed to connect WebRenderBridgeChild.
Feb 11 12:59:37 localhost thunderbird.desktop[128624]: [GFX1-]: Failed to connect WebRenderBridgeChild.
Feb 11 12:59:38 localhost thunderbird.desktop[128489]: ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Feb 11 12:59:39 localhost rtkit-daemon[1577]: Supervising 6 threads of 3 processes of 2 users.
Feb 11 12:59:39 localhost rtkit-daemon[1577]: message repeated 5 times: [ Supervising 6 threads of 3 processes of 2 users.]
Feb 11 12:59:39 localhost rtkit-daemon[1577]: Successfully made thread 128865 of process 128782 owned by '1000' RT at priority 10.
Feb 11 12:59:39 localhost rtkit-daemon[1577]: Supervising 7 threads of 4 processes of 2 users.
Feb 11 12:59:41 localhost rtkit-daemon[1577]: message repeated 10 times: [ Supervising 7 threads of 4 processes of 2 users.]
Feb 11 12:59:58 localhost thunderbird.desktop[128356]: ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Feb 11 12:59:58 localhost systemd[2078]: gnome-launched-thunderbird.desktop-128356.scope: Succeeded.
Feb 11 12:59:59 localhost systemd[2078]: Started Application launched by gnome-shell.
Feb 11 13:00:00 localhost thunderbird.desktop[129098]: [calBackendLoader] Using Thunderbird's libical backend
Feb 11 13:00:00 localhost thunderbird.desktop[129098]: [LDAPModuleLoader] Using LDAPDirectory.jsm
Feb 11 13:00:00 localhost thunderbird.desktop[129098]: [MsgSendModuleLoader] Using MessageSend.jsm
Feb 11 13:00:00 localhost thunderbird.desktop[129098]: [SmtpModuleLoader] Using SmtpService.jsm
Feb 11 13:00:01 localhost rtkit-daemon[1577]: Supervising 4 threads of 2 processes of 2 users.
Feb 11 13:00:01 localhost rtkit-daemon[1577]: message repeated 5 times: [ Supervising 4 threads of 2 processes of 2 users.]
Feb 11 13:00:01 localhost rtkit-daemon[1577]: Successfully made thread 129212 of process 129098 owned by '1000' RT at priority 10.
Feb 11 13:00:01 localhost rtkit-daemon[1577]: Supervising 5 threads of 3 processes of 2 users.
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Trying to load /usr/lib/thunderbird/libotr.so"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Trying to load libotr.so from system's standard library locations"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Trying to load libotr.so.5 from system's standard library locations"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Successfully loaded OTR library libotr.so.5 from system's standard library locations"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Successfully loaded OpenPGP library librnp.so version 0.15.2+git20210806.dd923a4e.MZLA from /usr/lib/thunderbird/librnp.so"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Found 12 public keys and 6 secret keys (6 protected, 0 unprotected)"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "Successfully loaded optional OpenPGP library libgpgme.so.11 from system's standard library locations"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.debug: "gpgme version: 1.13.1-unknown"
Feb 11 13:00:02 localhost thunderbird.desktop[129098]: console.warn: services.settings: thunderbird/hijack-blocklists has signature disabled
Feb 11 13:00:03 localhost thunderbird.desktop[129098]: JavaScript warning: resource://gre/modules/Troubleshoot.jsm, line 696: WebGL context was lost.
Feb 11 13:00:03 localhost thunderbird.desktop[129098]: JavaScript warning: resource://gre/modules/Troubleshoot.jsm, line 696: WebGL context was lost.
Feb 11 13:00:03 localhost rtkit-daemon[1577]: Supervising 5 threads of 3 processes of 2 users.
Feb 11 13:00:03 localhost rtkit-daemon[1577]: message repeated 3 times: [ Supervising 5 threads of 3 processes of 2 users.]
Feb 11 13:00:03 localhost rtkit-daemon[1577]: Successfully made thread 129246 of process 129098 owned by '1000' RT at priority 10.
Feb 11 13:00:03 localhost rtkit-daemon[1577]: Supervising 6 threads of 3 processes of 2 users.

Answer 1

That's a legitimate Mozilla domain. If a security tool tells you that a domain is malicious just because it's under the .cloud TLD, then you should uninstall said tool, and demand your money back if it wasn't free.