Share via

Microsoft Defender Impossible Travel Activity - Microsoft Mexico IPs

Julia Mora 20 Reputation points
2026-01-27T21:04:42.8866667+00:00

Hi Team,

We’ve recently seen an uptick in what appear to be false positive Microsoft Defender Impossible Travel Activity alerts between the United States and the following Mexico-based IPs:

158.23.85.187

158.23.93.170

158.23.86.108

(And likely additional IPs as well.)

All of these Mexico IP addresses belong to Microsoft and are associated with Microsoft OneDrive services.

What we’re seeing is a pattern where a user reviews a file in SharePoint, then accesses or uploads the same file via OneDrive, which triggers the Impossible Travel alert. The U.S. IPs involved are expected and part of the organization’s normal environment — however, Microsoft Defender appears to be flagging its own Microsoft infrastructure as “Impossible Travel Activity.”

We’re asking for an internal review of the Impossible Travel detection logic at Microsoft since it's triggering False Positives and would like confirmation on whether this behavior is being observed elsewhere.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps

1 answer

Sort by: Most helpful
  1. Harmz Singh 0 Reputation points
    2026-01-28T12:27:54.0766667+00:00

    We're seeing similar issues today - we're based in the UK and getting a bunch of alerts for IP's based in the Netherlands.

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.