20.226.33.200
# IP Intelligence Briefing: 20.226.33.200/32
## Executive Summary
Risk Assessment: Moderate Risk (65/100)
Infrastructure: Microsoft Azure Cloud Compute
Classification: Legitimate Infrastructure with Elevated Risk Signals
## Ownership and Infrastructure Profile
The IP address 20.226.33.200 is owned by Microsoft Corporation (ASN 8075, Organization: MSFT) within the 20.192.0.0/10 CIDR block. The infrastructure is classified as Microsoft Azure cloud compute hosting with firewalled/no active services detected. The IP operates on the Microsoft Azure network architecture and exhibits cloud-based characteristics rather than traditional hosting or residential infrastructure patterns.
## Geolocation Analysis
Geolocation data indicates São Paulo, Brazil with 2500km accuracy radius. Historical observation data shows conflicting geolocation signals including US coordinates (39.83, -98.58). This discrepancy is consistent with Microsoft Azure's global routing architecture where traffic may traverse multiple geographic regions. The control plane shows route instability (isRouteStable: false), which is atypical for infrastructure but may indicate dynamic routing configurations.
## Threat Indicators and Reputation
- Risk Score: 65/100 (Moderate Risk)
- DNSBL Listings: 3 of 8 total lists
- Abuse Confidence: Not explicitly flagged as known attacker
- Tor Exit Node: No
- Known Campaigns: None correlated
- Blacklist Count: 0 (traditional blacklists)
The elevated risk score (65) without explicit threat indicators suggests the IP may be misconfigured, misused, or operating in a high-risk context rather than being inherently malicious infrastructure.
## Network Behavior and Services
- Open Ports: None detected
- DNS Resolution: No PTR hostnames, no forward resolution confirmed
- HTTP Services: No active web services detected
- TLS Certificates: None observed
- Service Purpose: Firewalled / No Services
## Neighborhood Analysis
Subnet: 20.226.33.200/24
Classification: Clean (neighborhood level)
Abuse Density: 0
Risk Distribution: 1 low-risk, 0 medium/high-risk neighbors
Active Siblings: 2 of 2 total siblings
The /24 subnet shows low neighborhood-level risk, with the only neighbor (20.226.33.48) scoring 25/100. This suggests the elevated risk score for 20.226.33.200 may be IP-specific rather than subnet-wide.
## Historical Observations
Sixteen observations recorded, primarily from 2026-06-16. The historical data shows:
- Ownership consistency with Microsoft Corporation
- Subnet classification as "clean" during observation periods
- No persistent malicious behavior detected
- Ownership changes: 0
- Threat persistence days: 0
## Recommended Actions
Immediate Mitigation
Based on the elevated risk score (65/100), the following controls are recommended:
Firewall/Blocking Rules:
```
iptables -A INPUT -s 20.226.33.200 -j DROP
nft add rule inet filter input ip saddr 20.226.33.200 drop
nginx: deny 20.226.33.200;
```
WAF Integration:
```
Cloudflare WAF: Block 20.226.33.200 โ IPDebrief risk score 65
AWS WAF: Add 20.226.33.200/32 to deny list
```
Monitoring Enhancements
- Increase logging verbosity for this IP address
- Review recent activity patterns from 20.226.33.200
- Monitor for changes in DNS resolution or service emergence
- Correlate with any reported abuse incidents from the /24 subnet
## Intelligence Assessment
This IP represents Microsoft Azure infrastructure with an elevated risk score of 65, which warrants monitoring but does not indicate confirmed malicious activity. The discrepancy between the moderate risk score and clean neighborhood classification suggests the risk may stem from configuration anomalies, misdirected traffic, or contextual risk factors rather than inherent maliciousity. SOC analysts should monitor for behavioral changes rather than assume malicious intent. The lack of open services and threat indicators supports a "monitor but do not automatically block" approach, with blocking only if operational requirements or additional signals justify it.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Microsoft Corporation |
| ASN | AS8075 |
| Network Name | MSFT |
| CIDR Block | 20.192.0.0/10 |
| RIR | ARIN |
| Country | United States |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 35% | 2 | 3 |
| routing | 17% | 1 | 1 |
| services | 24% | 2 | 2 |
| ownership | 35% | 2 | 3 |
| reputation | 17% | 1 | 2 |
| geolocation | 17% | 1 | 1 |
| Overall | 24% | 9 | 12 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-06-11 15:08:27 UTC |
| Last Seen | 2026-06-21 18:55:03 UTC |
| Profile Built | 2026-06-21 19:04:25 UTC |
| Data Freshness | Live |
| Signal Types | 18 |
| Total Observations | 21 |
Full dossier details are available via our API.