Microsoft Sinkhole HTTP Events Report

LAST UPDATED: 2022-06-27

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft HTTP sinkhole servers. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.

Since a sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list. However, the sinkholes may also pick up web crawlers requesting malicious domains.

Report format is the same as the Sinkhole HTTP Events Report.

You can learn more on the report in our Sinkhole HTTP Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

File names: event4_microsoft_sinkhole_http.


  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • http_url
    HTTP request
  • http_host
    HTTP host extracted from the URL
  • http_agent
    HTTP user agent
  • forwarded_by
    HTTP proxy header
  • ssl_cipher
    SSL cipher used
  • http_referer
    Content of the HTTP referer


"2021-06-07 00:00:00","tcp","31.206.x.x",49245,8386,"TR","ANTALYA","KEPEZ",,,,,,,"",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","",,,,
"2021-06-07 00:00:00","tcp","177.140.x.x",35919,28573,"BR","SAO PAULO","SAO PAULO",,517312,,,,,"",443,8075,"US","WASHINGTON","REDMOND",,334111,"Information","MSDCU","caphaw",,"caphaw",,,,"/index.php","","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.6103)",,,"null"
"2021-06-07 00:00:01","tcp","180.190.x.x",49264,132199,"PH","CEBU","MANDAUE",,517311,,,,,"",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","",,,,
"2021-06-07 00:00:01","tcp","197.157.x.x",55307,37129,"KE","NAIROBI CITY","NAIROBI",,,,,,,"",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/news/stream.php","",,,,
"2021-06-07 00:00:01","tcp","174.114.x.x",59000,812,"CA","ONTARIO","OTTAWA",,517311,"Communications, Service Provider, and Hosting Service",,,,"",80,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU","necurs",,"necurs",,,,"/locator.php","",,,,

Our 128 Report Types