Lumma Stealer is likely exfiltrating sensitive data via compromised endpoints, leveraging phishing emails as its primary delivery vector. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate data exfiltration early, preventing further compromise and data loss.
IOC Summary
Malware Family: Lumma Stealer Total IOCs: 3 IOC Types: url
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| url | hxxps://fourdigs.cyou | botnet_cc | 2026-05-07 | 75% |
| url | hxxps://honceybl.cyou | botnet_cc | 2026-05-07 | 75% |
| url | hxxps://balvlqts.cyou | botnet_cc | 2026-05-07 | 75% |
// Hunt for access to known malicious URLs
// Source: ThreatFox - Lumma Stealer
let malicious_urls = dynamic(["https://fourdigs.cyou", "https://honceybl.cyou", "https://balvlqts.cyou"]);
UrlClickEvents
| where Url has_any (malicious_urls)
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
UrlClickEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Execution
Description: A scheduled job using schtasks.exe runs a script that is flagged as suspicious due to its file name or content.
Filter/Exclusion: Check for ProcessName == "schtasks.exe" and CommandLine contains "schtasks /create /tn" or CommandLine contains "schtasks /run". Exclude tasks created by known system or admin tools.
Scenario: Admin Task Using PowerShell for System Maintenance
Description: An administrator uses powershell.exe to run a script for system updates or configuration changes, which matches the IOC pattern.
Filter/Exclusion: Filter by ProcessName == "powershell.exe" and CommandLine contains "Update-Module" or CommandLine contains "Get-Help". Exclude processes initiated by known admin tools or user accounts with elevated privileges.
Scenario: Legitimate Use of WMI for Monitoring
Description: A monitoring tool like wbemtest.exe or wmic.exe is used to query system information, which may trigger the rule due to similar command-line patterns.
Filter/Exclusion: Filter by ProcessName == "wbemtest.exe" or ProcessName == "wmic.exe". Exclude processes that are part of known monitoring or management tools.
Scenario: False Positive from a Security Tool’s Own Artifact
Description: A security tool like CrowdStrike Falcon or Microsoft Defender generates a file or process that matches the IOC pattern during its own operation.
Filter/Exclusion: Check for ProcessName or FileHash matching known security tool artifacts. Exclude processes with ParentProcessName matching the security tool’s own process name.
Scenario: Legitimate Use of a Scripting Tool for Automation
Description: A script written