Suspicious Network Connection

Lately I have been seeing network requests coming from my Desktop system that go to go.microsoft.com/fwlink/?LinkId=397650. This page currently is redirecting out to https://woodgrove.com/compatibilityexchangeservice.svc/extended which is having what appears to be SSL cert errors. These requests started on June 4th.

This traffic is suspicious as the domain appears to be a parked domain that doesn't appear to have anything to do with microsoft yet it is being redirected from a Microsoft domain.

I have found some surrounding info that states it may be related to https://support.microsoft.com/en-us/kb/2976978 however I can not confirm this at the current time.

I have currently blocked all traffic to the woodgrove domain and the IP that is hosting it currently (operated by DOSarrest). Is anyone else experiencing this same traffic? Have you been able to confirm the underlying cause?

June 22nd, 2015 12:13pm

We have seen the same problem on windows 7 desktops. Currently investigating.

Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 12:59pm
Also seeing tons of suspicious traffic to https://woodgrove.com 6/24/2015
June 24th, 2015 2:31pm

Hi,

Thanks for your feedback, what's the current status now? Now it is this page cannot be displayed on my side. Since woodgrove.com is not hosted domain by Microsoft, we suggest you keep blocking all traffic to woodgrove. Again, we appreciate your time and feedback on this.

Regards,

D. Wu

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2015 9:38pm

It appears that a change was made on the backend (Microsoft side) as the URL of go.microsoft.com/fwlink/?LinkId=397650 is now redirecting to the URL of https://woodgrovebank.com/compatibilityexchangeservice.svc/extended which is owned by Microsoft.

I am curious to know what type of information our systems were sending out to this domain instead of to the Microsoft owned domain. As it was SSL traffic I was unable to see inside of the communication stream but this is very concerning. Based on the introduction of https://support.microsoft.com/en-us/kb/2976978?wa=wsignin1.0 it appears that it was probably hardware information about our current systems and if this falls into the wrong hands it could potentially be very bad.


June 30th, 2015 12:51pm

Hi,

Thanks for feedback and I found some information about Woodgrove.

Seems like Woodgrove Bank was established as a fictitious financial institution for use by Microsoft Corporation in demos and marketing. It is not a real organization, it provides test demos to customers and IT departments. I understand your concern, but Microsoft will never access to any user private Information or provide these information to other organizations without consent.

Regards,

D. Wu

Free Windows Admin Tool Kit Click here and download it now
July 5th, 2015 9:25pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics