Advanced Threat Protection: False positive to Google owned IP address?

It appears that this IP has a history of negative flags.  We are seeing these ATP alerts today as well.  If you look here:

https://www.virustotal.com/gui/ip-address/216.239.36.21/detection

And Here:

https://ip-46.com/216.239.36.21

You will see why ATP is triggering.

My only guess is that this site is associated with Google Cloud and not actually hosting Google content.

EDIT:

Here is what we are dealing with:

https://support.google.com/cloudidentity/answer/2579934?hl=en

Our particular ATP alerts are being triggered by msn.lockerdome.com which looks like a shady Ad network.

@AdamBasalyga very helpful info. I was just going to update that msn.lockerdome.com is what is triggering this and you had already edited.

I do see there were recently other shady sites hosted at this IP, so I am not sure lockerdome.com is directly to at fault for the security warnings, but they are definitely hosting ads on an IP address that has hosted malicious sites in the recent past on Google's cloud platform.

2020:05:01-07:58:49 severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" dstip="216.239.36.21" url="https://x.mdhv.io/"

Yes, and anyone that still might be launching IE with MSN.com as their default page will trigger this alert.  

This is from the msn.com page source:

<iframe scrolling="no" src="" data-url="msn.lockerdome.com/.../12316287544270694-xxx" data-id="381" data-m='{"i":381,"p":365,"n":"externalcontent","t":"msn.lockerdome.com/.../12316287544270694-xxx","o":4}' ></iframe>

Yes, that is exactly it. MSN.com triggers this.

Thanks Adam!

So we are creating and exception to this IP then...

We chose to add a forward lookup zone to DNS for msn.lockerdome.com with a default A record pointing to 127.0.0.1 to keep it from hitting the firewall...

We chose to add a forward lookup zone to DNS for msn.lockerdome.com with a default A record pointing to 127.0.0.1 to keep it from hitting the firewall...