I have the range 18.104.22.168/15 blocked.
Those pages look to me like a hack attempt, possibly from something hosted on MS by a hacker.
Looking further, there is the tag NTINET which MAY tie in with ntinet(dot)com. A very brief check suggests the 137 range above is actually DSL and I have a note against my entry in the database saying, "possibly dsl but first hit was to (honeypot domain) as a bad bot - maybe cloud?"
I do not have anything from this range in my current logs (from 1st May to date).
Anyone else have information on this?