# IP Intelligence Briefing: 20.226.121.186/32
Classification: Moderate Risk | Provider: Microsoft Azure | Risk Score: 65/100
---
## Executive Summary
IP 20.226.121.186 is a Microsoft Azure cloud infrastructure address with a moderate risk profile (65/100). The IP is geolocated to São Paulo, Brazil (BR) and belongs to Microsoft Corporation's 20.192.0.0/10 CIDR block (AS8075). The address is listed on 3 of 8 DNS blacklists with high-severity classifications, though no active threat campaigns or known attacker indicators have been identified.
---
## Technical Profile
- ASN/Owner: 8075 / Microsoft Corporation (MSFT)
- Geolocation: São Paulo, Brazil (2500km accuracy radius)
- Network Role: Cloud infrastructure (Microsoft Azure) โ No open services detected
- Control Plane: Stable BGP route (20.192.0.0/10), DNSSEC valid, RPKI state unknown
- DNS: Forward resolution pending; no PTR hostnames; 0 hosted domains
---
## Threat Indicators
- DNSBL Listings: 3 of 8 total lists flagged (high severity)
- Blacklist Sources: Multiple commercial and threat feed listings (categories suppressed)
- Campaign Association: No known active campaigns correlated
- Behavioral: No WAF violations, no honeypot hits, no enumeration strikes
---
## Observation History (15 signals)
Recent observations show:
- 2026-06-16 23:49: Geolocation signal (US, 39.83°N, -98.58°W) โ confidence 0.35
- 2026-06-16 23:43: Ownership change signal โ no changes detected
- 2026-06-16 23:40: RIR registration confirmed (ARIN)
- 2026-06-16 23:40: ASN/Network confirmation (20.192.0.0/10)
- 2026-06-16 23:40: DNSBL signal with 3 listings, high-severity classification
Geolocation discrepancies observed (US vs BR) warrant continued monitoring.
---
## Neighborhood Analysis (/24 Subnet)
- Subnet: 20.226.121.0/24
- Abuse Density: 0 (classified as "clean")
- Active Siblings: 1 (20.226.121.138, risk score 50/100)
- Threat Siblings: 0
The subnet shows minimal abuse activity, suggesting the target IP may be anomalous within its Microsoft Azure allocation.
---
## Recommended Actions
Monitoring
Increase logging verbosity and review recent activity from this IP due to elevated risk score (65/100).
Firewall Rules (Implementation)
- iptables: `iptables -A INPUT -s 20.226.121.186 -j DROP`
- nftables: `nft add rule inet filter input ip saddr 20.226.121.186 drop`
- nginx: `deny 20.226.121.186;`
- pfSense: `20.226.121.186/32`
- Cloudflare WAF: Block with expression `ip.src eq 20.226.121.186`
- AWS WAF: `Addresses: ["20.226.121.186/32"]`
---
## Intelligence Assessment
Despite Microsoft Azure infrastructure designation, the IP's presence on multiple DNS blacklists with high-severity classifications suggests potential misuse or compromised cloud infrastructure. The geolocation discrepancy (BR vs US signals) and elevated risk score warrant continued observation. Recommend blocking pending further validation from additional threat intelligence feeds.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Microsoft Corporation |
| ASN | AS8075 |
| Network Name | MSFT |
| CIDR Block | 20.192.0.0/10 |
| RIR | ARIN |
| Country | United States |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 24% | 2 | 2 |
| routing | 17% | 1 | 1 |
| services | 17% | 1 | 1 |
| ownership | 35% | 2 | 3 |
| reputation | 17% | 1 | 2 |
| geolocation | 17% | 1 | 1 |
| Overall | 21% | 8 | 10 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-06-15 17:59:40 UTC |
| Last Seen | 2026-06-21 23:35:41 UTC |
| Profile Built | 2026-06-21 23:45:44 UTC |
| Data Freshness | Live |
| Signal Types | 16 |
| Total Observations | 19 |
Full dossier details are available via our API.