Hi, on 9.707,
e13678.dspb.akamaiedge.net was flagged by the ATP system tonight:
2021:08:28-19:50:28 fw named: rpz: client 192.168.1.3#57698 (e13678.dscb.akamaiedge.net): view default: rpz QNAME NXDOMAIN rewrite e13678.dscb.akamaiedge.net via e13678.dscb.akamaiedge.net
Since Akamai is normally considered a trustworthy CDN, I need more information. What is the reason the traffic is suspicious?
(home user and commercial customer)
same here, lots of alerts here for DNS requests to that host. Sophos please fix or post reason for this ATP block.
Virustotal showing only Sophos blocking the host.
We have the same issue since 4h ago.
Maybe false positive.
We are seeing this also since this morning. 23 occurrences so far. All originating from our domain controllers.
Same on our Site:
@Sophos pls. fix!
Same here, 9.707-5
18 ATP alerts since about 07:10 AM (UTC+1), all DNS requests to this specific akamai address.
2021:08:29-07:10:16 XXX named: rpz: client XXX.XXX.XXX.XXX#52321 (e13678.dscb.akamaiedge.net): view default: rpz QNAME NXDOMAIN rewrite e13678.dscb.akamaiedge.net via e13678.dscb.akamaiedge.net
I'm seeing this too on XG and UTM9's.
www.microsoft.com CNAME www.microsoft.com-c-3.edgekey.net
www.microsoft.com-c-3.edgekey.net CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net CNAME e13678.dscb.akamaiedge.net
e13678.dscb.akamaiedge.net blocked by sophos
Has to be a false positive, or some really deep DNS hijacking!
And it’s not the first time this occurs. Thread below is from over a year ago, same url:
Virustotal shows only Sophos have flagged this - www.virustotal.com/.../detection
Their description link - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx - says this is a Windows threat.My only user being flagged with this is a Mac.
Akamai is a known Apple CDN, so I'd say this is pretty safe to ignore [again]
Mutliple locations having same detections.
maybe they just fixed it?