Looks like around September 24th, this ruleset started activating the below rule on mobile devices. I’ve noticed it on iPhones and iPads, not sure if it’s also triggering on Android devices. Just an FYI for the community. It does seem like it’s the same IP in most cases, which belongs to Amazon. I have not noticed if this in any way impacts the user experience. I have not heard any reports nor experienced any issues myself.
Name: ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)
Priority: 1
Type: A Network Trojan was detected
IP Info: 192.168.11.217:50811 -> 54.173.154.19:443
SID: 91599108