Could someone help me understand what type of malware would cause this type of domain request activity? The investigation started with an Umbrella alert showing a single host reaching out to 5 malicious domain names. Upon further review, I found thousands of queries to thousands of sketchy domains all within just 3 minutes all from the same individual hosts. Then the queries stopped and DNS activity resumed to normal business stuff. I questioned the user about their actions and system behavior during this time and they had no odd system behaviors and they said they were reviewing emails but didn’t click on any suspicious links or attachments. My thought was something tried to load in the background of Outlook when reviewing emails, but I want to learn more about what type of malware would cause this. I’ve used Umbrella logs to prove smaller malicious web requests, but the enormity of the requests in a short period of time peaked my interest.
I posted a sample of the domain activity on pastebin.
Thanks for your input.