Solved: nexus-websocket-a.intercom.io

justwondering · ‎12-14-2022

We've been receiving multiple alert regarding this domain "nexus-websocket-a.intercom.io"

User traffic shows it's related to legitimate web traffic.

Submitted the domain to sandboxing and it's benign. Also other OSINT categorized it under Technology/Internet and Business-and-Economy.

Checked Cisco Talos portal and this has been categorized as phishing recently, Dec.12.

Requested re-categorization on this via Cisco Talos and it's still pending.

Would like to know your thoughts or if anyone has encountered this domain? Thank you.

justwondering · ‎12-17-2022

Updating this, Cisco Talos has fixed the categorization to TRUSTED

** Fixed - FP - Talos has concluded that the submission is safe to access at this time; the submission's reputation has been improved

View solution in original post

brettp · ‎12-14-2022

I too have observed this recently. It seems some sources note it as malicious, while others do not. I'm curious as well as I do not have a definite answer. Resource monitor on Windows machines shows chrome.exe as the culprit... but as for what it is... no idea.

tkamish22 · ‎12-14-2022

Same here. Trying to track down correlation to the origination of the traffic. It appears, at least in our situation, that it is an embedded application in Microsoft Teams or other MS applications.

justwondering · ‎12-15-2022

same on my end, it's initiating process is chrome.exe or edge.exe

checked logs further and seeing the domain ctaegorization is different in between cisco umbrella and firepower.. aren't they suppose to have threat intelligence?

firepower has urlfiltering, nonetheless its DNS Category=Phishing, while umbrella assessed it under Software/Technology, Business Services, Application, Business and Industry.

justwondering · ‎12-17-2022

Updating this, Cisco Talos has fixed the categorization to TRUSTED

** Fixed - FP - Talos has concluded that the submission is safe to access at this time; the submission's reputation has been improved