Connection was forcibly closed by TPC RST packet from Microsoft servers

We are experiencing intermittent but frequent connection terminations during communication with SharePoint Online via REST API.
After several internal investigations, we were unable to identify any root cause on our end.
We have observed unexpected connection resets originating from Microsoft servers, specifically during or after the TLS handshake.
Packet trace including the TCP RST. 
This packet appears to be an unsolicited TCP RST sent from Microsoft side.

396	19.654862	SharePoint IP	Client IP	TLSv1.2	357	Application Data
397	19.655259	SharePoint IP	Client IP	TLSv1.2	1013	Application Data
398	19.655344	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 402]
399	19.655376	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 402]
400	19.655387	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 402]
401	19.655376	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 402]
402	19.655387	SharePoint IP	Client IP	TLSv1.2	1448	Application Data
403	19.655476	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 405]
404	19.655495	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 405]
405	19.656337	SharePoint IP	Client IP	TLSv1.2	1212	Application Data
406	19.656367	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 408]
407	19.656412	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 408]
408	19.656412	SharePoint IP	Client IP	TLSv1.2	1070	Application Data
409	19.657129	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 411]
410	19.657192	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 411]
411	19.657292	SharePoint IP	Client IP	TLSv1.2	992	Application Data
412	19.657325	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 414]
413	19.657435	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460 [TCP PDU reassembled in 414]
414	19.657523	SharePoint IP	Client IP	TLSv1.2	992	Application Data
415	19.659729	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
416	19.660127	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
417	19.660216	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
418	19.660317	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
419	19.660318	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
420	19.661139	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
421	19.661235	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
422	19.662135	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
423	19.662212	SharePoint IP	Client IP	TCP	60	443 → Random Port [RST] Seq=... Win=0 Len=0
424	19.665417	Client IP	SharePoint IP	TCP	1514	443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460
425	19.766395	Client IP	SharePoint IP	TCP	1514	[TCP Retransmission] 443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460
426	20.367148	Client IP	SharePoint IP	TCP	1514	[TCP Retransmission] 443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460
427	21.167413	Client IP	SharePoint IP	TCP	1514	[TCP Retransmission] 443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460
428	21.179165	Client IP	SharePoint IP	TCP	1514	[TCP Spurious Retransmission] 443 → Random Port [ACK] Seq=... Ack=... Win=4194560 Len=1460
429	21.773431	Client IP	SharePoint IP	TCP	1514	443 [SYN, ECE, CWR] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

TLS Handshake Behavior: 
.NET-based applications on our server report the following exception:
System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---] System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.

We have included packet traces showing: 
- Successful TCP and TLS handshakes
- Encrypted application data sent by our client
- Acknowledge packets from your server
- Connection then abruptly closed by a TCP RST without any visible application-layer error

Environment & Testing:
- Operating System: Windows Server 2022
- Frameworks: .NET 6 / .NET 8
- Connectivity: REST API calls to SharePoint Online (no sync, no OneDrive, no hybrid setup), TLS1.2 used and set up based on Microsoft recommendations

Observations:
- Approximately 70% of API calls fail intermittently
- Issue occurs across multiple SharePoint sites and folders
- Affects all users (admin, regular users, etc.).
- No firewall, hardware, or configuration changes have occurred on the affected server
- Disabling security software had no impact
- Temporary switch to IPv6 improved stability for ~24 hours before the issue returned
- New development:
   - We moved some applications to a separate VPS — those are working correctly.
   - However, a similar issue has now started occurring on a completely different server hosted by a customer,
      indicating this may not be isolated to a single environment or IP.

Is this expected behavior under specific policies (e.g., IP reputation, rate limiting, User-Agent filtering)? 
Could there be a misconfiguration or conditional access policy silently blocking some connections? 
Is this possibly related to throttling or regional backend issues?

Thank you for any support in this case.