Stretchoid is one of the most prolific scanners on the internet, but also one of the shadiest. Stretchoid.com offers a signle-page website that says:
"Stretchoid is a platform that helps identify an organization's online services. Sometimes this activity is incorrectly identified by security systems, such as firewalls, as malicious. Our activity is completely harmless."
This is followed by an opt-out form. Thin. Very thin. Neal Krawetz mentions them in passing in the main text, but the vast majority of comments (last modified in 2024)) concern stretchoid, including speculations on its origins and purpose. This and a few odd Reddit posts provide much of what is known about them.
Stretchoid is a Microsoft operation, running in its Azure cloud (AS 8075). While whois content is often forged, the record for stretchoid.com is held by MarkMonitor and should be trustworthy.
Domain Name: stretchoid.com
Registry Domain ID: 2027075945_DOMAIN_COM-VRS
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2025-04-07T12:52:48+0000
Creation Date: 2016-05-09T21:35:59+0000
Registrar Registration Expiration Date: 2026-05-09T00:00:00+0000
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2086851750
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way,
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Phone Ext:
Registrant Fax: +1.4259367329
Registrant Fax Ext:
Registrant Email: domains@microsoft.com
Tech Name: MSN Hostmaster
Tech Phone: +1.4258828080
Tech Email: msnhst@microsoft.com
Name Server: ns1-37.azure-dns.com
Name Server: ns3-37.azure-dns.org
Name Server: ns4-37.azure-dns.info
Name Server: ns2-37.azure-dns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2026-03-08T16:40:33+0000 <<<
We have not seen any statements from Microsoft about this service, much less denials of ownership, but they obviously take pains to obscure that ownership. They may look shady, but it works: the fact that Microsoft runs Stretchoid is obscure. One of the commenters in Krawetz's thread makes the claim, but its buried under speculation about 3-letter agencies and other monsters.
Stretchoid seems to do just what it says on the tin: it identifies online services. Of 1588 IPv4 probes logged on a public mail server over a bit more than a day, 1392 were TCP SYN packets, 195 small UDP and one TCP RST, all over a broad range of ports. Not the profile of a malicious actor; it really does seem to be a broad but shallow scan of the world's online services. However, Microsoft is another giant corp making money by extracting information from us while being unwilling share that information back with us. Fuck 'em.
The Krawetz thread included a claim that stretchoid was trying to hack a VPN login, but it was not followed up. Another post claimed that stretchoid continued to scan after an opt-out, but escalated the scanning and hacking attacks on his system. The was no follow-up in the thread. Neither of these claims matches my experience but they bear watching.
Stretchoid is hard to locate in IP space. Public organization that run scanners usually publish the addresses that send their probes. Onphe, for example, does so on their front page. Like Stretchoid, they offer an opt-out on that page, but they helpfully suggest that recipients simply block those published addresses if they do not wish to submit the form. (Azure publishes a number of other lists, which I will get to, eventually)
Two lists that try to be current:
We have used S. Victor's lists for many years, but frequently see scans from unlisted stretchoid.com hosts, perhaps daily. Typically, they would be listed the following day. Looking at the DNS, Microsoft uses hostnames with short TTLs and no reverse for the stretchoid.com domain. The DNS sometimes returns 127.0.0.1 for "hostname".stretchoid.com, for some values of "hostname". It looks very much as if Microsoft rotates a set of host names (now starting with the letters "azp") over a larger range of IP addresses. To get some notion of that larger range of IPs, we combined OpenFilters' and svictor's lists of IPv4 addresses, generated a list of the /24 networks that contain them, and then aggregated that. Packets from these networks were logged, and all of the data shown here came from that log.
There were probes from 988 unique IPs. 559 of those were NXDOMAIN, while the rest were from named stretchoid.com hosts. No pattern was apparent in the use of named and unnamed hosts.
Talosintelligence.com reports on /24s containing these named hosts are usually interesting, Some contain mostly named hosts, but others are a mixture of named and unnamed hosts. Many of the unnamed hosts send significant volumes of mail, many showing a "used every other day" pattern. Drilling down all the way to the containing /21s reveals vast numbers of hosts with no rDNS. Most send significant monthly volumes. I speculate that Microsoft may probe from any IP in those /24s, both named and unnamed, and that they will not use those /24s as normal servers. A weaker speculation is that this extends to networks as large as /21s. Based on the firmer speculation, we now block all traffic from our list of stretchoid /24s (over 263K host IP addresses), and hope to block more.