Just came across the thread below (Not sure if what's now displaying was meant to happen - I just pasted the url and ... ). Anyhow, thought I'd start a new thread rather than tag onto the previous.
My experience seems similar to the other thread's OP.
I was researching an apparently innocuous topic (ancient Greek roads in Attica). I started exploring links from a page (A GIS-BASED STUDY OF ATTICA) on the bordersofattica.org website. The further pages I tried to access, I assume, were all in that website.
MBAM threw up a number of Malicious Website Blocked alerts. I checked these and found only one IP address* referenced (*126.96.36.199) although there were a number of blocks.
I checked that address (on Central Ops net). That didn't enlighten me. Then, possibly like thais, I googled the address. This produced many links, one of which was "The Anti Hacker Alliance fights against 188.8.131.52". I clicked on this link, and first came to (I've left off the http bit deliberately) "//anti-hacker-alliance.com/index.php?ip=184.108.40.206". That page seemed to load successfully, but then it suddenly 'flipped' to a page "//www.validome.org/lang/en/get/http://220.127.116.11". At this point I think MBAM again threw up a couple of popups announcing further blockages. (On VirusTotal, Yandex Safebrowsing called the "Anti Hacker Alliance" a Malware site. The "Validome" url had no bad reports).
The flip to the "Validome" page worried me as further googling didn't seem to establish a connection between "The Anti Hacker Alliance" and "Validome" so I don't know if this was a valid redirection. I'll attach a (composite) screenshot of the "Validome" page below. I gather MBAM thought loading the "Validome" page was an attempt to access the malicious site.
I looked at the protection log again (an MBAM threat scan had been running at the time) and noted there were 3 "outbounds". There had been 2 when I first checked after noting the alert popups, but I subsaequently re-launched the "Validome" page from Firefox memory to get the screenshots.
I've kept the Threatlog and Protection Log if they're needed.