![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 94%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 9%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 27%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
Hi, There
As your information, I'm totally get it. Blocking all of AS8075 will break legit Microsoft stuff. Here’s the clean, low-drama way to block Azure VPS abuse without hurting real Microsoft services.
- Allow first, then block. Use Microsoft’s official feeds: M365 Endpoints + Azure Service Tags (only the tags you need, e.g.,
AzureFrontDoor.Backend). Avoid broad tags likeAzureCloud. - Keep Bingbot. Allow only if reverse DNS ends with
search.msn.comand forward-resolves back to the same IP. - Block the rest. Drop AS8075 (and other cloud ASNs) except what’s on your allowlists.
- Optional hardening. Add an IP-intel “hosting/cloud” category block to catch generic VPS/proxy ranges.
- Automate. Nightly job to refresh the M365 + Service Tags JSON and update your firewall/WAF objects.