104.210.140.131
# INTELLIGENCE BRIEFING: 104.210.140.131
Classification: MODERATE RISK (Score: 40/100)
Date: 2026-06-25
Prepared For: SOC Analysts
Status: Active Monitoring Required
---
## EXECUTIVE SUMMARY
IP 104.210.140.131 is a Microsoft Azure cloud infrastructure endpoint located in San Antonio, TX. While the IP itself shows no direct threat indicators, it resides within a /24 subnet exhibiting high abuse density (0.5625) with 9 threat-sibling IPs identified. The endpoint is firewalled with no active services but requires neighborhood-level monitoring.
---
## NETWORK IDENTIFICATION
| Attribute | Value |
|---|---|
| **ASN** | 8075 (Microsoft Corporation) |
| **Organization** | Microsoft Corporation |
| **Infrastructure Type** | CloudCompute (Microsoft Azure) |
| **Geolocation** | San Antonio, TX, US |
| **CIDR Block** | 104.210.140.0/24 |
| **Route Stability** | False (routing changes detected) |
---
## THREAT ASSESSMENT
Direct Threat Indicators: None detected
- No known attacker campaigns
- No Tor exit node activity
- No spam source classification
- Zero active open ports
- No email authentication records (SPF/DMARC)
Control Plane Status:
- 1 DNSBL listing among 8 total lists
- Route stability: Unstable (routing changes observed)
- RPKI state: Not available
- DNSSEC: Valid
---
## NEIGHBORHOOD ANALYSIS
Subnet Risk Profile: HIGH ABUSE
- Abuse Density: 0.5625 (56.25% of IPs flagged)
- Total Siblings: 16
- Active Siblings: 12
- Threat Siblings: 9
Neighbor Risk Distribution:
| Risk Level | Count |
|---|---|
| High | 0 |
| Medium | 15 |
| Low | 0 |
Key Sibling IPs (Risk Score 40-50):
- 104.210.140.128β104.210.140.143 (15 IPs)
- All siblings show authority score of 50
---
## OBSERVATION HISTORY
Total Signals: 18 observations (June 2026)
Recent Activity Timeline:
- 2026-06-25T21:59:47 β Geolocation confirmed (San Antonio, TX)
- 2026-06-25T21:58:58 β DNSBL listings updated (high severity)
- 2026-06-25T21:58:48 β Subnet abuse density classified as high_abuse
Trend Analysis:
- Consistent geolocation reporting
- Persistent DNSBL presence
- No evidence of escalating threat activity
- Average ownership days: Not applicable (cloud infrastructure)
---
## RELATIONSHIP MAPPING
Network Associations: 28 relationships identified
- All relationships classified as "Same Network" (MSFT/Microsoft)
- No external hostname, organization, or certificate associations
- Indicates pure Microsoft Azure infrastructure footprint
---
## RECOMMENDED ACTIONS
Immediate:
1. Monitor Subnet: Track activity across 104.210.140.0/24 subnet due to high abuse density
2. Threat Sibling Correlation: Investigate the 9 identified threat siblings for potential lateral relationships
3. DNSBL Verification: Confirm 1 DNSBL listing severity and source
Firewall/Security Rules:
- No immediate blocking recommended (risk score 40 = moderate)
- Monitor for outbound connections to known malicious destinations
- Block inbound traffic if organizational policy prohibits Azure-to-internal communications
Investigation Priorities:
- Determine if threat siblings are Azure customers or Microsoft infrastructure
- Assess if DNSBL listing is legitimate abuse or false positive
- Evaluate route stability implications for security posture
---
## RISK CONCLUSION
This IP represents legitimate Microsoft Azure infrastructure with no direct compromise indicators. However, the high-abuse subnet environment necessitates proactive monitoring. The 9 threat-sibling IPs within the /24 subnet suggest potential shared infrastructure usage or customer accounts. Recommend ongoing observation without immediate blocking unless threat indicators develop.
Recommended Risk Score for SOC: 40/100 (MODERATE)
Action Level: MONITOR
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Microsoft Corporation |
| ASN | AS8075 |
| Network Name | β |
| CIDR Block | β |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting β Infrastructure provider without advanced routing |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | β |
| Valid Until | β |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 24% | 2 | 3 |
| reputation | 30% | 1 | 3 |
| geolocation | 31% | 2 | 3 |
| Overall | 24% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-10 04:11:18 UTC |
| Last Seen | 2026-06-27 16:47:45 UTC |
| Profile Built | 2026-06-28 10:53:25 UTC |
| Data Freshness | Live |
| Signal Types | 19 |
| Total Observations | 23 |
Full dossier details are available via our API.