Advanced Threat - Is this a false positive?

My 2 cents -- we're seeing this at a number of sites, it appears a marketing site called mapitquick.net --- the links embedded on some popular site out there) uses this IP for tracking purposes, etc. -- frankly we are just blocking the domain to prevent the annoying messages from popping up, frankly in this case probably a false positive, but do your own investigation.

Meant to add -- this IP is probably a load balancer IP, etc. and maybe shares its use with another site that maybe was malicious, who knows.  Won't be the first time I've seen ATP freak out in this manner.

Thank you Bruce.

Thank you Bruce.

Why are we blocking it?  Well, can't find much info on that domain, so we err on the side of caution and drop it.  You can figure out the reference if you have DNS logging enabled on your DC etc. -- that's how we figured out what domain triggered it.  Still haven't figured out what site contains the links, but we've had customers across several verticals all pop up with this randomly, in the past week.

Also, FWIW, the Sophos MTR team (we have several customers on it) have not gotten excited about it either :)

And one further bit of info; it does appear if you chase down that domain, one of their published links tries to make you put a "safe browsing extension" on Edge -- so further reason to just block it.  I would not whitelist the IP (we have not done that anywhere either).