20.64.105.168 — Microsoft Corporation, US — High (76%)

Check an IP Address, Domain Name, Subnet, or ASN

20.64.105.168 was found in our database!

Confidence Level

76%

High?

Geolocation

🇺🇸

United StatesSan Antonio

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenJan 23, 2026, 09:31 AM

Last seen5h ago

119Sessions

188Events

Protocol Breakdown

HTTPS

53 / 83

HTTP

11 / 21

SMTP

8 / 12

TELNET

8 / 12

MONGODB

5 / 9

ELASTICSEARCH

8 / 8

FTP

2 / 7

SSH

6 / 7

DOCKER

3 / 7

IMAP

4 / 5

REDIS

2 / 5

POSTGRES

4 / 4

SIP

1 / 3

SMB

2 / 3

MSSQL

2 / 2

20.64.105.168 has a high threat confidence level of 76%, originating from San Antonio, United States, on the Microsoft Corporation network (8075). It has been observed across 119 sessions targeting HTTPS, HTTP, SMTP, TELNET, MONGODB and 10 other protocols, First observed on January 23, 2026, most recently active March 5, 2026.

Behaviors

Classified behavioral patterns observed

Redis Mglndd Campaign Activity

low1x

Redis session where the client presents the MGLNDD-prefixed identifier (for example MGLNDD_[ip]_6379) within the connection metadata, indicating activity from a specific automated Redis scanning framework. The behavior is triggered by the previously defined primitive detecting this exact tag pattern and groups sessions attributed to that tooling. The behavior reflects identifiable automated access rather than standard Redis client usage and does not assume additional commands beyond the observable identifier.

Http Root Path Request

info5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Https Root Path Request

info3x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Elastic Http Get Request9 Docker Get Method7 Http Method Get6 Elastic Http Bad Request Path Probe5 Https Path Root3 Mongodb Buildinfo3 Docker Bad Request Uri3 Smtp Ehlo Greeting2 Ftp Auth Ssl1 Ftp Auth Tls1 Http Path Bad Request1 Redis Mglndd Client Identifier Tag1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
20.163.13.196	67%	35
20.102.115.195	50%	32
20.97.204.28	98%	58
20.215.130.165	56%	1
52.188.224.110	67%	51

IP Address	Confidence	Events
18.220.192.102	72%	110
66.132.153.136	99%	1,632
198.235.24.54	91%	176
91.230.168.187	59%	62
172.236.127.133	82%	481