Yes I have just seen this across many clients.  when I look up hash on virus total it says item not found. 

Support must be getting smashed as they are not answering....

Update:  Got through to support and they are investigating but that this point they think a false positive.  They are going to update the banner in security center once they know

Does anyone have any ideas about what it is, best i can guess is its an O365 update

Yes sir...seeing the same thing.  Good times.

Hey team,

We are seeing some of these pop up, and are currently investigating. 

The file seems to be a recent O365 update, and we are trying to understand if this is a false positive.

Please bear with us!

Giac

Getting hammered with this also, end users are only surfing "msn.com" for news.

We fall into the "us too" category.

SHA256: d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873
Filename: i640.c2rx
Type: Zip
Size: 1048576 bytes

URLs:
http://b.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.15601.20088/...
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.15601.20088/...

Same here, it looks a false positive, our antivirus didn't detect it but MX yes, more info:

https://www.virustotal.com/gui/url/08afc11fee242400b362e94987c367581a06677a65ae03bf7d28a33e2186814c/...

https://www.joesandbox.com/analysis/347996/0/html

I'm getting slammed with hundreds of alerts this morning as well:

Seeing 131 clients affected across multiple networks.  

Threat Name: i640.c2rx

First seen: 7:20AM EST

Size: 1048576 bytes

SHA256: d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873

We also have the same issue, ticket reported straight away and at the time they didn't have other reports, looks like they are rolling in now.

same for me today:

same here this this is not the 1st time to consider Office update as Malicious 

Anyone contacted Cisco Support ?

Same......seems to be "Spreading" over our network as clients come online this morning......good times.....good times...

Update: Found this in our Defender logs at same time of alert from Meraki.

same here too.

source [xxxx].[cdn].[office].[net]...

+ us too

+us too - same file, same pattern, multiple international locations

It would be good to know what Cisco TAC know about this - hopefully a false positive, and the alternative is not very promising.

Same situation

actual VT of the file:
https://www.virustotal.com/gui/file/539a3d3ef75f466755c8fce73ba0a04047a9e34a308e07536883bfbedb3790c5...

Same issue across multiple clients

False positive guys. This is a Microsoft update where they used the file type C2RX which is not on the inspection list in the Meraki AMP. 

Use the URL in the alerts to search VirusTotal. VirusTotal - URL - 1a81b30aaf0e0f44b913a3a1f53d1ecd91d274b23d03cf866a4f57d32cb5f487 The hash won't work.

The article about file types in AMP is here Advanced Malware Protection (AMP) - Cisco Meraki

I think that it is Talos that flagged the file:  https://talosintelligence.com/sha_searches  Put in the SHA and Talos has that flagged. 

Hi folks! As @GiacomoS said, the Meraki team is aware and investigating this issue currently. You can subscribe to this post for updates, which we will share as we have them. Thank you!

ETA: I'm going to mark this as the solution for now for greater visibility. 

we started receiving these alerts from 12:18, at all of out sites looking at the url we thought it could be a false positive likely the denial of service request for SSL we had a few weeks ago.. 

Is anyone aware of the effect on the Office clients - do they recover after the failed download?
Is the blocked update a Security or Feature update?

Same here. Slight panic but I'd rather have a few false positives than a single true positive 😉

Coinciding with an internet disruption made me think the worst...

Been working all morning to determine where this is originating from on my network. Wish I had seen the marked as benign earlier. 

So we are safe to say it is clear. Great now I will start working on what I intended to this morning

For me Meraki determined the downloads as coming from Turkey... The IP is 8.252.195.124 which is registered with a US company but this seems suspicious.

SHA256 d73298c7c8b8ce78f7003cf6832a8dd719ab4d240cf3e213fcf8824539c81873