I know the roadmap for Defender includes geo blocking. That implies a reverse DNS check on the IP from which the Location is used to make a decision. I get a lot of abuse from Amazon EC2, and I contact Amazon with specifics so that they can identify and handle the source of that abuse. Geo Blocking is done on the front-end, where a new request gets a DNS check. I’d like to see an enhancement to Defender where that DNS data is saved, and when a new IP is banned, a defined hook is invoked, passing the DNS info as well as the IP. I’d use that hook to check to see if the registered owner of the IP matches a pattern like “Amazon Inc” and generate an email to email@example.com to report the IP for the specific date/time, etc
I get abuse from other providers of temporary host instances. I'd do the same with them or possibly ban them up-front. So a hook on the front-end would be helpful as well.