Adversaries are using Evilginx IOCs to perform credential phishing and exfiltrate sensitive data by impersonating legitimate services. SOC teams should proactively hunt for these IOCs in Azure Sentinel to detect and mitigate early-stage phishing campaigns before significant data loss occurs.
IOC Summary
Malware Family: Evilginx Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 138[.]197[.]21[.]32:3333 | botnet_cc | 2026-05-07 | 75% |
| ip:port | 83[.]147[.]38[.]94:2030 | botnet_cc | 2026-05-07 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - Evilginx
let malicious_ips = dynamic(["138.197.21.32", "83.147.38.94"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["138.197.21.32", "83.147.38.94"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Backup Job Using Known Evilginx-Related Domains
Description: A scheduled backup job uses a domain that is flagged by ThreatFox as associated with Evilginx, such as example.com (if it was previously compromised or misconfigured).
Filter/Exclusion: Exclude traffic originating from known backup tools like Veeam, Commvault, or Acronis, or filter by source IP ranges used by internal backup systems.
Scenario: Admin Access via SSH Using a Legitimate Bastion Host
Description: An admin connects to a bastion host using SSH, and the connection is flagged due to the use of a domain or IP associated with Evilginx.
Filter/Exclusion: Exclude SSH connections to known bastion hosts (e.g., bastion.example.com) or filter by user agents or SSH keys associated with authorized admin accounts.
Scenario: Legitimate Email Server Using a Misconfigured MX Record
Description: An email server (e.g., Microsoft Exchange or Postfix) is using a misconfigured MX record that resolves to a domain flagged by ThreatFox.
Filter/Exclusion: Exclude DNS queries for email-related domains (e.g., mail.example.com, smtp.example.com) or filter by DNS query types (e.g., MX records only).
Scenario: Internal Development Server Hosting a Staging Website
Description: A development server hosts a staging website that uses a domain previously associated with Evilginx due to a past compromise.
Filter/Exclusion: Exclude traffic to internal development domains (e.g., dev.example.com, staging.example.com) or filter by source IP ranges used by the development team.
Scenario: Legitimate Cloud Provider Using a Known Malicious IP Range
Description: A cloud provider (e.g.,