Wow, Poisontap open automatically a browser!

[f3d0x0]

I'm doing a pentest for my company and in the meanwhile i'm trying to experiment some new physical attacks involving USB ports as attack vectors. The workstation that I'm testing is a fully patched Windows 10 with all security updates, full-disk encryption and a strong "cloud-based" firewall. I armed my Raspberry Pi Zero with PoisonTap correctly and, during my tests, in this particolar workstation I surprisingly found that the PoisonTap is working without an open browser, because after a minute Internet Explorer is automatically open with the incredible HTML5 canvas animation and suggest me that PoisonTap is working: cookies are stored in the log file, and the web-cache backdoors are reachable from my C&C Server! :)

I was surprised about that, and I started analysing the network traffic to find what services could trigger the PoisonTap. The only HTTP traffic that I found was direct to 3 IP addresses:

• 13.107.4.50 (Microsoft Corporation)
• 95.100.234.23 (Singapore Akamai Technologies)
• 23.12.108.239 (Paris Akamai Technologies)

I suppose this traffic is some sort of background Windows updates, and this triggered the PoisonTap. But what is currently not clear to me is how this background traffic could pop-up a new Internet Explorer browser? Anyone else found similar behaviors?