Advanced Threat Protection: False positive to Google owned IP address?

We're noticing the same for the IP 216.239.36.21.

It started today for us and I can't figure out if this is a False Positive or not.

I am getting the same thing suddenly starting this morning, every hour. Is this a false positive?

It appears that this IP has a history of negative flags.  We are seeing these ATP alerts today as well.  If you look here:

https://www.virustotal.com/gui/ip-address/216.239.36.21/detection

And Here:

https://ip-46.com/216.239.36.21

You will see why ATP is triggering.

My only guess is that this site is associated with Google Cloud and not actually hosting Google content.

EDIT:

Here is what we are dealing with:

https://support.google.com/cloudidentity/answer/2579934?hl=en

Our particular ATP alerts are being triggered by msn.lockerdome.com which looks like a shady Ad network.

I'm with everyone else.  Saw it multiple times today.

I need to get logging on our DNS servers to be longer because by the time I check the local AD DNS to see which device did the query it is already overwritten.

@AdamBasalyga very helpful info. I was just going to update that msn.lockerdome.com is what is triggering this and you had already edited.

I do see there were recently other shady sites hosted at this IP, so I am not sure lockerdome.com is directly to at fault for the security warnings, but they are definitely hosting ads on an IP address that has hosted malicious sites in the recent past on Google's cloud platform.

2020:05:01-07:58:49 severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" dstip="216.239.36.21" url="https://x.mdhv.io/"

Yes, and anyone that still might be launching IE with MSN.com as their default page will trigger this alert.  

This is from the msn.com page source:

<iframe scrolling="no" src="" data-url="msn.lockerdome.com/.../12316287544270694-xxx" data-id="381" data-m='{"i":381,"p":365,"n":"externalcontent","t":"msn.lockerdome.com/.../12316287544270694-xxx","o":4}' ></iframe>

Yes, that is exactly it. MSN.com triggers this.

Thanks Adam!

So we are creating and exception to this IP then...

We chose to add a forward lookup zone to DNS for msn.lockerdome.com with a default A record pointing to 127.0.0.1 to keep it from hitting the firewall...