The detection identifies potential adversary activity involving malicious URLs linked to the e73f7ff7572070d56a631ac6796adabd tag, which may indicate a targeted compromise or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage attacks before they cause significant damage.
IOC Summary
Threat: e73f7ff7572070d56a631ac6796adabd Total URLs: 4 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxps://bitbucket.org/ghkjkghlkgl/ghf/downloads/2.jpg | online | malware_download | 2026-05-21 |
hxxps://raw.githubusercontent.com/solid-23/bv/refs/heads/main/SijgpcA.txt | online | malware_download | 2026-05-21 |
hxxps://toptionlab.co.za/tr.vbs | offline | malware_download | 2026-05-21 |
hxxps://paste.sensio.no/BirdsKnocked | offline | malware_download | 2026-05-21 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: e73f7ff7572070d56a631ac6796adabd
let malicious_domains = dynamic(["bitbucket.org", "raw.githubusercontent.com"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["bitbucket.org", "raw.githubusercontent.com"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL filtering tool by accessing a known benign URL from the URLhaus list for validation purposes.
Filter/Exclusion: Exclude URLs that match the urlhaus_id e73f7ff7572070d56a631ac6796adabd and are accessed from known admin workstations or during scheduled testing windows.
Scenario: A scheduled job runs a script that fetches updates from a legitimate internal repository, which happens to use a URL tagged with the same urlhaus_id due to a misconfiguration.
Filter/Exclusion: Exclude URLs that match the urlhaus_id e73f7ff7572070d56a631ac6796adabd and are accessed from the IP range of the internal update server or during the scheduled job execution time.
Scenario: A user is accessing a legitimate cloud storage link (e.g., Google Drive or OneDrive) that was mistakenly tagged in the URLhaus database due to a false positive.
Filter/Exclusion: Exclude URLs that match the urlhaus_id e73f7ff7572070d56a631ac6796adabd and are associated with known cloud storage providers or accessed from user devices with a trusted domain.
Scenario: A security tool like CrowdStrike Falcon or Microsoft Defender ATP is performing a signature update, and the update server URL coincidentally matches a URL in the URLhaus list.
Filter/Exclusion: Exclude URLs that match the urlhaus_id e73f7ff7572070d56a631ac6796adabd and are accessed from known endpoint protection software update