Somehow the firewall started throwing the following ips for 2 very common email companies.

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically. You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: INDICATOR-COMPROMISE Suspicious .win dns query
Details........: https://www.snort.org/search?query=44077
Time...........: 2019-05-26 12:00:37
Packet dropped.: yes
Priority.......: low
Classification.: Misc activity
IP protocol....: 17 (UDP)

Source IP address: INTERNAL MAIL SERVER Source port: 53472 Destination IP address: 193.5.23.1 (anyres1.ip-plus.net) Destination port: 53 (domain)

would like to know what's the meaning of .win dns query and why just started happening?

Thank you