Jul 23, 2019

Unusual traffic from service provider "Microsoft Corporation"

In the last 8 months or so, I've been noticing an increase in suspect traffic in GA. I first noticed it when we started seeing higher than usual Wyoming traffic. Now, Wyoming has gone from bottom 5 for traffic to regularly appearing in the top 5 and the issue has become substantially worse in the last month or so.

When I started investigating the issue further, I noticed that there are six cities that are contributing to the unusual traffic:

- Cheyenne, WY

- Quincy, WA

- Des Moines, IA

- San Antonio, TX

- Washington, DC

- Chicago, IL

A large amount of traffic from these cities as well as traffic that has (not set) for location, lists a service provider of "Microsoft Corporation" in GA. Bounce rates for this traffic don't seem particularly unusual (70-75% for the most part), but average session duration is incredibly low considering that pages/session averages 1.5. It's also not in line with all other traffic. It seems to be some sort of bot, but I have set GA to not include known bots and spiders. I was wondering if anyone knows what this traffic is before I exclude all traffic with this service provider. I have included a screenshot of a custom report that shows the traffic for the last week.

Details

Other Google Analytics Questions

Locked

Informational notification.

This question is locked and replying has been disabled.

Community content may not be verified or up-to-date. Learn more.

Last edited Dec 2, 2019

All Replies (19)

AJW Marketing

Aug 8, 2019

I've seen a very similar thing, since April we've seen a huge increase in traffic from this source. All from the US.

Google user

Dec 4, 2019

We're also seeing this starting on 12/04/19. Large spike in traffic from 'CPC/Bing' from Quincy, WA and Chicago, IL.

Kelvin M.

Dec 5, 2019

I'm facing the same problem. A significant amount of my daily traffic is originating from the service provider microsoft corporation with the following metrics:

Location: Chicago
Browser: Internet Explorer
Screen Resolution: 1024x768
Avg. Session Duration: 00:00:02 (2 seconds)
Bounce Rate: 100%

This has completely skewed my analytics data explaining the oddly high bounce rate I've been observing of late.

Update:

So I've managed to get rid of this traffic. In my case all the traffic was originating from the IP address: 23.100.232.233. You can check the extensive abuse reports by this IP here. Since my sites are on Cloudflare, I just used Cloudflare Firewall Rules to block the IP including the bogus User Agent the IP was using: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0).

Since the IP address may not be the same, you could temporarily onboard your site on Cloudflare to find the IP address. Just block the user agent above using one of the 5 firewall rules you're allotted then come back after a few hours and check the 24 hour log to see the blocked IPs. You can also install the DataDome app in Cloudflare which will give your IPs and other stats for all the bad bot traffic you're receiving. You can then block the IPs using a WAF, firewall plugin or talk to your host to block them on their end.

Last edited Dec 16, 2019

David Kamm

Dec 13, 2019

Same basic issue here, all from Chicago with service provider = "microsoft corporation". Only impacts direct traffic.

Could it possibly be a Cloudflare bot or other CDN-based crawler?

Certainly is annoying, in any case.

By the way, the StopBadBots plugin for WordPress does not eliminate this one. I like the plugin, but it doesn't seem to be a solution for this specific issue.

Stephen Gaede

Dec 16, 2019

I am seeing this traffic as well.

My company's Marketing and Communications office created a standardized Outlook email signature for employees to put in their email signatures, with links to our website homepage. The links track clicks via Bitly and GA UTM parameters. The majority of traffic attributed to the campaign used in these signatures is from Service Provider: microsoft corporation. However, the region is not Chicago, instead:

San Antonio, Texas (30%)
Demoines, Iowa (24%)
Cheyenne, Wyoming (23%)
Quicy, Washington (15%)
Washington, Virginia (4%)
and others.

My company is on Office 365.... could this be a clue?

Erica Cowan

Dec 19, 2019

I'm also seeing the same bot-like traffic in my site direct traffic analytics.

TimSim

Dec 28, 2019

This looks like traffic related to bing ads for me because the referral url includes keywords. I'm guessing it's bing ad's version of checking the pages relevance for the cpc keywords.

User 8299276283445305563

Dec 30, 2019

Same on my page. Since beginning of December I have a lot of traffic from Chicago visiting my page with IE 9. If I am checking the IP Adresses with https://www.abuseipdb.com/ (example: 207.46.13.233 or 207.46.13.1 )they tell me, that the traffic is coming from microsoft servers. If so, where i can find a way to disable the logging for the MS spiders in GA?

Last edited Dec 30, 2019

Lachlan O'Connor

Jan 5, 2020

Also experiencing this issue. Same as the above. Chicago traffic, Microsoft Corp servers, 1 second sessions. Interested to know what is causing the traffic. We're Australian based.

Ant.N.

Jan 8, 2020

seeing this traffic as well, with weird network domain attached to it in Analytics. For now I am blocking traffic to my website from the reported IP to be safe, not filtering it from Analytics, but would like to understand if this is a crawler or somebody with worse intentions.

Oliver Placek

Jan 10, 2020

Same problem detected here. We're based in Germany. In our case Microsft bot traffic comes from Ireland (Dublin). That ruins our stats. How to behave / exclude this? I do not want to exclude via ISP organisation, cause that'll exclude human traffic too.

How to exclude smart / solve that issue best? Does anybody got an idea?

HDR Inc.

Jan 15, 2020

We are seeing the same thing since 9/2019. It is hitting one particular page only. For now, to do reports for that page I made a Segment to exclude source that is bbfugb-egh-fafjfyfggfe-5349.

Global Analytics

Jan 20, 2020

Same here, we have a lot of traffic from "microsoft corporation" and I really don't want to exclude the ISP Organization. Something strange is that half of this traffic is Linux based, and we know that this is not a popular OS.