Avast detected an ip connect associated w/Microsoft - possible false positive?

Hey there,

Around a day ago, Avast detected a rather bizarre connection, citing a malware object originating from/named “https://131.253.61.66”. I went ahead and did a fair amount of research on it, only to find that this IP has (supposed) connections with Microsoft. The detection was persistent until 2 or 3 restarts later (I would provide a copy of the object itself, but it seems to have gone missing - any and all trace [logs, virus chest object] seems to have disappeared).

For a bit more background information on this, take a look at this bleepingcomputer post that I created whilst the "infection"was still reletively fresh.

For contingency, here what the original post stated:

Hey there fellow bleepers,

I was wondering if could receive your opinion on whether or not one of my computers is infected - it seems that every time I connect to my home internet connection, avast proceeds to block a malware object named “https://131.253.61.66”. After doing a small amount of research, I found that this specific IP is (more or less) associated with microsoft; is it possible that this is a legit connection being recognized as a false positive?

Some other information:
P2P windows updates are disabled.
This computer is connected via VPN 99% of the time.
Rkill, adwcleaner, and a quick MBAM scan all came back clean (logs for the first two are available if necessary).
OS is Win10 Professional, 64-bit.
Thanks!

Blacklist check
https://virustotal.com/en/url/1d219b113e1c9014d8c415eebbc83593b6bb0f12cb01d5baf86870544c64b452/analysis/1486679299/

IP history >> https://virustotal.com/en/ip-address/131.253.61.66/information/

IP scan >> https://www.metadefender.com/#!/results/ip/MTMxLjI1My42MS42Ng==

Interesting. Thanks for the resources, Pondus!

Apart from what our forum friend, Pondus, reports, some additional abuse info on that IP in question:

Flagged because abuse on that IP has been reported: https://www.abuseipdb.com/check/131.253.61.66
Nine reports for port scanning, web spam etc.

Both malware and phishing has been reported: https://cymon.io/131.253.61.66

Reporting sources: hybrid-analysis.com, trendmicro.com, virustotal.com, phishtank

polonus (volunteer website security analyst and website error-hunter)