This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 77%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Hi Team,
We’ve recently seen an uptick in what appear to be false positive Microsoft Defender Impossible Travel Activity alerts between the United States and the following Mexico-based IPs:
158.23.85.187
158.23.93.170
158.23.86.108
(And likely additional IPs as well.)
All of these Mexico IP addresses belong to Microsoft and are associated with Microsoft OneDrive services.
What we’re seeing is a pattern where a user reviews a file in SharePoint, then accesses or uploads the same file via OneDrive, which triggers the Impossible Travel alert. The U.S. IPs involved are expected and part of the organization’s normal environment — however, Microsoft Defender appears to be flagging its own Microsoft infrastructure as “Impossible Travel Activity.”
We’re asking for an internal review of the Impossible Travel detection logic at Microsoft since it's triggering False Positives and would like confirmation on whether this behavior is being observed elsewhere.
A tool that provides visibility, control, and threat protection for cloud-based applications and services
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 49%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFJ%3C/text%3E%3C/svg%3E)
Seeing similar alerts over here, All started today, all showing from the same 158.23.x.x block but the user's don't even have to upload or access the file in OneDrive. Looks like it is occurring for some user's just based on accessing it in MSWAC.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 50%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Us too. We are in Canada. That was crazy though, sent us spending a bunch of time trying to figure out what was going on.
It’s nice to see this and that it’s not just us.
What is up with Microsoft this month?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 28.000000000000004%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
This is also happening to us and our company is based in Australia. I've noticed that there are some issues with Microsoft recently though so I guess they are having issues with their servers.
Ok awesome — glad we’re not the only ones seeing this.
I’ve opened a Microsoft Support case to dig into it further. The AI response also suggested reporting these specific IPs as “safe” to refine the detection logic and reaching out to Microsoft Support for an internal review, but since support can be very slow to respond (especially on how to actually submit that), I figured I’d try the community route.
Appreciate the confirmation and insight!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 22%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
We're seeing similar issues today - we're based in the UK and getting a bunch of alerts for IP's based in the Netherlands.