This is going to sound corny but have you tried reporting any of the undesirables when they strike? Some months ago I figured what the heck and when IPs are particularly egregious, I fire off an e-mail a la:

-----
To: abuse@microsoft.com
Subject: Abuse from: 104.211.62.xyz
Message:

Multiple WordPress-specific exploit probes.

IP Location: USA
IP Reverse DNS (Host): 104.211.62.xyz
IP Owner: Microsoft Corporation

[My IP here] ACCESS LOG:

[Ten lines or so of raw log.]
-----

Reporting momentarily relieves my ire, even though I've never received so much as a canned response.

You can also report a CIDR but the log specifics help the other end nail down if the problem's with an Azure account, etc.

Then again, I never get any wanted/desirable hits from any MS addresses any more -- only relentless and rude bingbot; never any legit referral traffic -- so no big loss if you were to axe 'em, imho.

I've been blocking these for sometime now with no negative effects for Bing SERP, well no positive either....

NetRange: 13.64.0.0 - 13.107.255.255
CIDR: 13.64.0.0/11, 13.104.0.0/14, 13.96.0.0/13
NetName: MSFT

NetRange: 104.40.0.0 - 104.47.255.255
CIDR: 104.40.0.0/13
NetName: MSFT

NetRange: 40.126.128.0 - 40.127.255.255
CIDR: 40.126.128.0/17, 40.127.0.0/16
NetName: MSFT

inetnum: 51.140.0.0 - 51.145.255.255
CIDR: 51.140.0.0/14
netname: MICROSOFT

Most of the time one IP just got the home page and followed all the links from it swapping IP/Ranges but keeping the same UA. No CSS/JS files requested, NO JS Executed.

Here is some Identical Headers per request on a site that allows those ranges, with same UA:

-----------------------------
ip: 13.69.199.xx
remote host: 13.69.199.xx
TimeDiff(0)
time: {ts '2020-02-04 06:18:46'}
http_content: 
method: GET
protocol: HTTP/1.1 
connection: Keep-Alive 
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko 
Accept-Encoding: gzip, deflate, sdch 
host: www.example.com 
Upgrade-Insecure-Requests: 1 
content-length: 0 

Additionally sometimes the bot asks for an existing URI on a site that is not linked to from any previously requested files.

One example is from e-com site that hides ShoppingCart link unless the user adds something to a Cart...

So me thinks they do get the "Shopping List" before they even get to the site.

40.64.0.0/10 and 51.140.0.0/14 (MSFT) at the router because of some not-nice behavior.

Watch out. 40.77.167-168 is used by the bingbot. In the YMMV category, other parts of 40.77 are, or have been, used by the plainclothes bingbot. (The rest of the /10 does seem to be little but bad actors.)

I don't know what happens if you block one of the multitudinous bingbot ranges while continuing to allow others.

It's from their hosting ranges, what ever those are!
This not the first time.

40.112.129.217 - - [04/Feb/2020:08:56:34 -0700] "GET /.env HTTP/1.1" 301 238 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"
40.112.129.217 - - [04/Feb/2020:08:56:34 -0700] "GET /.remote HTTP/1.1" 301 241 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"
40.112.129.217 - - [04/Feb/2020:08:56:34 -0700] "GET /.local HTTP/1.1" 301 240 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"
40.112.129.217 - - [04/Feb/2020:08:56:34 -0700] "GET /.production HTTP/1.1" 301 245 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"
40.112.129.217 - - [04/Feb/2020:08:56:34 -0700] "GET //vendor/.env HTTP/1.1" 301 245 "https://www.google.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362"

denied 74 thru 127 and poked a hole for 77.

[edited by: not2easy at 9:07 pm (utc) on Feb 4, 2020]
[edit reason] ftfy [/edit]