why are random PCs showing as registered to our cloud console?

Are you, or any of the admins on your network, running sophos AD sync. That is the only way that I would think this would be possible.

Yes, we do but these are not domain joined systems.

Purely curious, but have you tried to ping that IP to see if anything responds? 

There's no route to those hosts. We use some networks in 10.0.0.0/8 but neither of the ones that these PCs are alleged to be in.

Hi,

I suppose the obvious things to check/consider initially would be:

1. In the Central Audit logs (cloud.sophos.com/.../audit), no one other than expected admins have logged in to obtain  the URLs of your installers?

2. None of your end users have taken the SophosInstall.exe home or shared it with friends?

3. The URLs of your installers (e.g. dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../SophosInstall.exe) have been published/leaked/shared?

Regards,
Jak

Hi,

I suppose the obvious things to check/consider initially would be:

1. In the Central Audit logs (cloud.sophos.com/.../audit), no one other than expected admins have logged in to obtain  the URLs of your installers?

2. None of your end users have taken the SophosInstall.exe home or shared it with friends?

3. The URLs of your installers (e.g. dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../SophosInstall.exe) have been published/leaked/shared?

Regards,
Jak