What kind of attack is this: (="...?return="><noembed><img+src%3D...")

My server is throwing errors like this. I suppose some kind of attack is takign place. I have IIS7, Windows server 2012.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.RawUrl value was detected from the client (="...?return="><noembed><img+src%3D...").
   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_RawUrl()
   at System.Web.UI.Page.ValidateRawUrlIfRequired()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

It is basically warning for a cross-site scripting attack (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

This means somebody is trying to inject valid HTML into your webpage using the query-string. If your webserver is programmed to subsequently display this somewhere else (maybe a forum or something) then this opens up an attack vector. Other visiting users to your site might execute JavaScript code injected by the attacker.

To prevent this, ASP.NET by default does not allow certain content to appear in the query string, specifically anything that resembles valid HTML. This could be caused by an input-field somewhere on your website that does not correctly escape HTML characters OR someone is simply trying to attack you website. Either way, make sure to always escape user-controlled input correctly on the server or on the client (or both).

If you think your security is OK, then you can ignore this error as it is basically out of your control. ASP.NET simply detected the attack and blocked it.