Unexpected connections to an IP address located in Nigeria
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 5%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
M
0
Reputation points
Hello everyone.
In the last few months we have seen over 400 direct connections to this IP address: 196.49.32.6, which is associated with the Internet Exchange Point of Nigeria (IXPN).
- The URLs associated with the connections appear to be related to Microsoft and follow a pattern of:
- 196.49.32.6/filestreamingservice/files/XXXXXX/XXXXX&cacheHostOrigin%3d9.tlu.dl.delivery.mp.microsoft.com
- 196.49.32.6/filestreamingservice/files/XXXXX/pieceshash?cacheHostOrigin%3ddl.delivery.mp.microsoft.com
- The logs for some of the connections show associated files, which also appear related to Microsoft:
- Microsoft.NET.Native.Framework.2.2_2.2.29512.0_x64__XXXXX.Appx
- Microsoft.VCLibs.140.00_14.0.33519.0_x86__XXXXX.Appx
- Microsoft.NET.Native.Runtime.2.2_2.2.28604.0_x64__XXXXX.Appx
Some of the connections show Microsoft Delivery Optimization as the UA.
It looks like the connections could be related to Microsoft updates being downloaded. However, I want to confirm whether the IP is in any way associated with Microsoft. The IP appears to be listed as member of the IXPN (bgpview.io/ix/224).
Microsoft Delivery Optimization seems to be affected by the use of services which change/anonymise users' locations, such as VPNs or proxies.
Does anyone have any idea what could be causing these connections?
Thank you.
Microsoft Security | Microsoft Sentinel
Sign in to answer