how does one report an RDP attack to Microsoft when it’s happening in real time? [closed]

To my surprise, Security Event 10 was for 104.43.193.6 which is apparently a Microsoft ip address:
http://ip2location.com/demo/104.43.193.6 =. Microsoft Corporation.

Likely AFAIK some has leased 104.43.193.6 and is using it to randomly attack ip addresses with the hope of logging on via RDP …

since my web server is a dedicated Windows Web Server that is relatively unknown (it’s NOT Sony and we are not hosting trailers for a silly movie), it’s highly unlikely that it was attacked other than by random churning through ip address ranges.

it’s normal for such churning attacks, even simultaneous ones, for example, today the Microsoft owned ip address, another from China, and at third from Kansas City were attempting simultaneously to log on via RDP.

what bothers me is that one would hope that Microsoft would show enough concern to want to shut down one of its customers involved in hacking; to be fair, it could also be someone who has compromised a computer that belongs to one of Microsoft’s customers.

MORE INFORMATION

Microsoft Canada +1 905 568-0434 swicthboard transferred me to someone in the Philippines, wrong department, who transferred me to malware (wrong department) who was not capable of understanding the issue and after 20 minutes finally transferred me to someone in professional services who was also clueless and after another 15 minutes was replaced by a recording that stated all of Microsoft’s phone lines were busy; the recording suggested using the internet to contact Microsoft.

Half way through trying to report the RDP attack to Microsoft, the attacking ip address stopped trying … at my end, via WireShark, logs were captured.

One hopes perhaps Microsoft would like to see those logs … one also hopes there is a better way of informing Microsoft of such attacks as they are happening.

how does one report an RDP attack to Microsoft when it’s happening in real time?

P.S.: if this is the wrong forum for this question, please redirect me. Thank you.

2015-12-26 update (from ms auto-reply):

Thank you for contacting cert@microsoft.com.    
This alias is monitored by the Microsoft    
Online Services Security Incident Response Team    
and is used to collect security and abuse reports    
from security organizations specific to our Online Services    
such as Windows Azure, Bing, Hotmail, Windows Live, etc.  

This alias is not currently monitored 24/7;
expect a response in 1-2 business days.  

Answer

If you check the whois record for that IP, it tells you:

Comment: To report suspected security issues specific to
traffic emanating from Microsoft online services, including the
distribution of malicious content or other illicit or illegal material
through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.

update ~~ from direct ms e-mail to myself {gerry}:
(a) “the max length for e-mail addresses has changed to 100” by ms so most e-mail addresses can now be accepted
(b) one “can always send IP details, logs and any helpful information to cert@microsoft.com”
(c) ms “will always take reports at this address if you can provide us with enough information to investigate. We really stress the timestamps, the more accurate they are, the faster we can identify those responsible”

Attribution
Source : Link , Question Author : gerryLowry , Answer Author : gerryLowry

Leave a Comment