RE: Suspicious incoming RDP: Victim IP - 13.65.113.217

%3CLINGO-SUB%20id%3D%22lingo-sub-2741416%22%20slang%3D%22en-US%22%3ERE%3A%20Suspicious%20incoming%20RDP%3A%20Victim%20IP%20-%2013.65.113.217%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2741416%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20received%20a%20LOW%20ASC%20Alert%20regarding%20an%20attack%20to%20116%20IP%20addresses.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22Network%20traffic%20analysis%20detected%20anomalous%20incoming%20Remote%20Desktop%20Protocol%20(RDP)%20communication%20to%2013.65.113.217%2C%20associated%20with%20your%20resource%204255c1da87924ebda2e54616ea906f74%2C%20from%20multiple%20sources.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeither%20of%20these%20incoming%20IP%20address%20nor%20the%20Resource%20are%20part%20of%20our%20Azure%20environment.%26nbsp%3B%20I%20searched%20and%20found%20the%20IP%20is%20part%20of%20MS%20but%20not%20sure%20about%20the%20Compromised%20Host%20%224255c1da87924ebda2e54616ea906f74%22.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20has%20been%20reported%20as%20a%20Brute%20Force%20and%20our%20CISO%20is%20wanting%20some%20type%20of%20comment%20regarding%20the%20resolution.%26nbsp%3B%20I%20see%20it%20as%20a%20false%2Fpositive%20activity%20from%20Microsoft%20but%20need%20to%20make%20sure.%26nbsp%3B%20Has%20anyone%20ran%20into%20this%20type%20of%20Alert%20before%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3ESerge%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2747574%22%20slang%3D%22en-US%22%3ERE%3A%20Suspicious%20incoming%20RDP%3A%20Victim%20IP%20-%2013.65.113.217%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2747574%22%20slang%3D%22en-US%22%3EI%20would%20suggest%20that%20you%20open%20a%20support%20ticket%20so%20that%20our%20experts%20can%20help%20you%20find%20the%20root%20cause%20of%20this%20alert.%3C%2FLINGO-BODY%3E
Occasional Contributor

We received a LOW ASC Alert regarding an attack to 116 IP addresses.  

 

"Network traffic analysis detected anomalous incoming Remote Desktop Protocol (RDP) communication to 13.65.113.217, associated with your resource 4255c1da87924ebda2e54616ea906f74, from multiple sources."

 

Neither of these incoming IP address nor the Resource are part of our Azure environment.  I searched and found the IP is part of MS but not sure about the Compromised Host "4255c1da87924ebda2e54616ea906f74".  

This has been reported as a Brute Force and our CISO is wanting some type of comment regarding the resolution.  I see it as a false/positive activity from Microsoft but need to make sure.  Has anyone ran into this type of Alert before?

 

Cheers,

Serge

2 Replies
I would suggest that you open a support ticket so that our experts can help you find the root cause of this alert.
thanks for the suggestion, I was hoping to bring this type of alert public to assist others. If anyone has any thoughts/advice on potential explanation, please let me know.

Cheers
www.000webhost.com