The hypothesis is that the detected URLs are part of a ClearFake campaign, which uses deceptive URLs to trick users into downloading malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential phishing or credential theft attacks before they lead to data exfiltration or system compromise.
IOC Summary
Threat: ClearFake Total URLs: 2 Active URLs: 1
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://argvlidcheck.co/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct | offline | malware_download | 2026-05-11 |
hxxps://authshellverif.co/9c34bc13-1256-4e09-845e-9ea583fbef65/google.ct | online | malware_download | 2026-05-11 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: ClearFake
let malicious_domains = dynamic(["authshellverif.co"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["authshellverif.co"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate URL shortening service used for internal documentation
Description: An admin uses a URL shortener like Bitly to generate short links for internal documentation and knowledge base articles.
Filter/Exclusion: Exclude URLs containing the domain bitly.com or any known internal shortening service domains.
Scenario: Scheduled job for automated software updates
Description: A system administrator schedules a job using cron or Task Scheduler to download updates from a trusted repository (e.g., updates.examplecorp.com).
Filter/Exclusion: Exclude URLs that match the pattern updates.examplecorp.com or any known internal update servers.
Scenario: Admin task for endpoint protection rule testing
Description: A security team member manually tests a new endpoint protection rule by visiting a test page hosted on a local IIS server.
Filter/Exclusion: Exclude URLs that match the internal IP range (e.g., 192.168.0.0/16) or any internal testing domains like test-secure.example.com.
Scenario: Legitimate phishing simulation tool usage
Description: A security team uses a tool like PhishMe or KnowBe4 to deploy simulated phishing emails with fake URLs for training purposes.
Filter/Exclusion: Exclude URLs that contain the domain phishme.com, knowbe4.com, or any other known phishing simulation domains.
Scenario: Cloud storage sync tool accessing public CDN links
Description: A company uses a cloud sync tool like Dropbox or Google Drive to access public CDN links for static assets (e.g., cdn.example.com).
Filter/Exclusion: Exclude URLs that match known CDN domains or any URLs that are part of the company’s public asset hosting strategy.